help! searches redirect

B

bearax

Limp Gawd
Joined
Nov 21, 2003
Messages
302
ok.....when I do a search I randomly get redirected to various sites. This doesn't happen all the time. If I ctrl click to open in new tab it doesn't happen, if I click directly on a search item, sometimes it redirects. It appears to be a java script..if I disable java in firefox it presents me with a [click here for link] button on a blank page.

I have followed the very comprehensive antimalware guide pretty closely. I was already running MS Security essentials, but I downloaded and installed malwarebytes, superanitispyware, spyware s&d. disabled system restore, ran all of the software above in safe more, found nothing. I ran HJT and went through the list, everything looked ok, but I can't be certain I know what everything was. I have exhausted my limited resources trying to figure this out w/o bugging people. I did see another thread where someone has a similar problem, but there were no suggestions...

I am not sure if this is related (although it would be a huge coincidence) is that MS-SE keeps finding the win32/pdfjsc.de virus. It finds it...I tell it to remove it. It finds it again. I run a full system scan and it doesn't find anything.

I could really use some help or suggestions on what to do next.
 
I would recommend updating java to the latest version and also Microsoft security essentials definitions if you haven't

Uninstall the old version of java if they are still their after you update it.

Posting a hijack log here could be helpful. just use quote tags when doing so ;)
 
Well, that virus seems to have an effect on browsers, as per this post:
http://forums.techguy.org/virus-other-malware-removal/928400-weird-internet-issues.html

Last night I received a message from Microsoft Security Essentials alerting me that a file called "Win32/pdfjsc.DE" was a virus. I removed the file. Now, Google Chrome and Internet Explorer refuse to load any webpages. I have re-installed the browsers, but they still refuse to load any web pages. Last night, I also had problems installing AVG Anti-Virus and Spybot Search & Destroy. How can I get my browsers to work again? (I am using Firefox)
Click to expand...
 
here is my log file. I have uninstalled and resstalled java already, same results. MS SE is fully updated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:58:33 PM, on 6/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
D:\System Apps\Display Tools\Stardock\ThinkDesk\Multiplicity\MultiSrv32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
D:\System Apps\Security Tools\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\Media Apps\Java\bin\jqs.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Live Mesh\Remote Desktop\wlcrasvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
D:\System Apps\Drive Tools\Daemon-Tools\daemon.exe
D:\Graphic Apps\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
D:\Microsoft Office\Office12\GrooveMonitor.exe
D:\Media Apps\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Mike.OBELISK\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.4014.7\MoeMonitor.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
D:\System Apps\Security Tools\SUPERAntispyware\SUPERAntiSpyware.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
D:\System Apps\Security Tools\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Mike.OBELISK\Local Settings\Application Data\Microsoft\Live Mesh\GacBase\Moe.exe
C:\Drivers\Logitech\SetPoint\SetPoint.exe
C:\Program Files\MMTaskbar\MultiMon.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
D:\Graphic Apps\GSP\Software\GspComposer.exe
D:\Internet Apps\Mozilla Firefox\firefox.exe
D:\Internet Apps\Pidgin\pidgin.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\Graphic Apps\GSP\Software\GspPlot.exe
D:\Graphic Apps\GSP\Software\GQMgr.exe
D:\Graphic Apps\Adobe\Adobe Illustrator CS3\Support Files\Contents\Windows\Illustrator.exe
D:\Graphic Apps\Adobe\Adobe Photoshop CS3\Photoshop.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - D:\Graphic Apps\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\SYSTEM~2\SECURI~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Graphic Apps\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Media Apps\Java\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Media Apps\Java\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Graphic Apps\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - D:\Graphic Apps\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\System Apps\Drive Tools\Daemon-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Graphic Apps\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [iTunesHelper] "D:\Media Apps\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "D:\Media Apps\AV Playback\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Graphic Apps\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MoeMonitor.exe] "C:\Documents and Settings\Mike.OBELISK\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.4014.7\MoeMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\System Apps\Security Tools\SUPERAntispyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\System Apps\Security Tools\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Drivers\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: MultiMon Taskbar.lnk = C:\Program Files\MMTaskbar\MultiMon.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Append to existing PDF - res://D:\Graphic Apps\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Graphic Apps\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Graphic Apps\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Graphic Apps\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Graphic Apps\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Graphic Apps\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Graphic Apps\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Graphic Apps\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SYSTEM~2\SECURI~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SYSTEM~2\SECURI~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1220197325812
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - D:\System Apps\Security Tools\SUPERAntispyware\SASWINLO.DLL
O20 - Winlogon Notify: Multi - D:\System Apps\Display Tools\Stardock\ThinkDesk\Multiplicity\MultiWin32.dll
O20 - Winlogon Notify: wlcrdplauncher - C:\Program Files\Live Mesh\Remote Desktop\wlcrdplauncher.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\System Apps\Security Tools\Ad-Aware\aawservice.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Media Apps\Java\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: MotoConnect Service - Unknown owner - C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
O23 - Service: Stardock Multiplicity (Multiplicity) - Unknown owner - D:\System Apps\Display Tools\Stardock\ThinkDesk\Multiplicity\MultiSrv32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 14159 bytes
Click to expand...
 
Check out the malware removal thread stickied at the top of this forum, a lot of people put a lot of effort into putting together that sticky thread...every single tool you need is right in that list.
 
It most likely is the same new root kit which isn't detectable (yet) that some idiot employee got on his pc a few days back.

I ran damn near everything on the malware thread (hilariously I have most of those tools in my arsenal already before I even read that thread) and couldn't find all of it. Every program found and removed something. I even ran some stuff with the hdd in another PC. Hijack this was clean. Nothing was hooking executables. It affected all browsers.

Just a heads up that you may be screwed if you have what this guy had. Due to a time constraint, I ended up clean installing.
 
awesomo said:
It most likely is the same new root kit which isn't detectable (yet) that some idiot employee got on his pc a few days back.
Click to expand...

does this mean I am an idiot too?

awesomo said:
Just a heads up that you may be screwed if you have what this guy had. Due to a time constraint, I ended up clean installing.
Click to expand...

that would indeed suck. clean install on this machine would be a pain. thanks for the input!
 
Just finished fixing a coworker's home computer of the same type of virus.

It came to me with an anti-virus fraud program installed so I ran malwarebytes and it seemed to do the trick. She gets it home and calls me a couple hours later describing the same issue you're having.

I followed a guide on MajorGeeks running Malewarebytes, Superantispyware, Combofix, RootRepeal, and MGTools.

So as Shadowssong said, try ComboFix. For me that's what ended up fixing it for good, but I continued on with most of the steps anyway (except posting logs). 2 weeks now and she's had no more problems.

Good luck.
 
ok....I have done the following (everything has latest updates)

run; in safe mode, in this order:
ccleaner
malwarebytes
superantispyware
spybot s&d
combofix

run; in normal windows; in this order
ccleaner
malwarebytes
superantispyware
spybot s&d
combofix

run; in safe mode; in this order
superantispyware
malwarebytes
rootrepeal
mgtools

run; in normal windows; in this order
superantispyware
malwarebytes
rootrepeal
mgtools

I have run at various times:
cwshredder
norton power eraser
rootkitbuster
ccleaner
hijackthis

nothing finds anything.
current av is microsoft security essentials, installing avira, will let that do a scan

i have loaded firefox in safemode, still redirects
I have uninstalled and reinstalled java.
I have not tried uninstalling firefox and internet explorer8 yet. (redirect happens in both)

other than nuking from space (its the only way to be sure) does anybody have any other suggestions?
 
I'm in a remote session right now with a clients rig that has been having redirect issues...do a search and click on a normal looking link from Google and you get a browser redirect to affiliate sites.

Malwarebytes scan yesterday, clean
SuperAntispyware scan...just 40 or so cookies...nothing worthwhile
Spybot scan, clean
This morning NOD32 finally kicked in with W32/Adware.SpywareProtect2009..but couldn't clean the file. I did a search for removing that malware, nothing in registry, no processes that were listed by cleaning sites belonging to it, system32 looked clean...but NOD found it in users profile\local settings\temporary internet files\content.ie5\z4hvyguo\cooler[1].aspx

So I manually whacked the contents of the hidden content.ie5 directory.
Doing a deep scan with MWB now and it's found 6 things finally with todays defs.
 
YeOldeStonecat said:
This morning NOD32 finally kicked in with W32/Adware.SpywareProtect2009..but couldn't clean the file. I did a search for removing that malware, nothing in registry, no processes that were listed by cleaning sites belonging to it, system32 looked clean...but NOD found it in users profile\local settings\temporary internet files\content.ie5\z4hvyguo\cooler[1].aspx

So I manually whacked the contents of the hidden content.ie5 directory.
Doing a deep scan with MWB now and it's found 6 things finally with todays defs.
Click to expand...

Well, I am running Avira right now, I am downloading the nod32 demo , will have to uninstall avira and MS-SE before install nod. I checked and is absolutely nothing in the temp internet folder. if its hidden...would I need to do anything besides have the show hidden files ticked on in the folder settings?

please keep me posted on your progress!! THANKS!!
 
bearax said:
ok....I have done the following (everything has latest updates)

run; in safe mode, in this order:
ccleaner
malwarebytes
superantispyware
spybot s&d
combofix

run; in normal windows; in this order
ccleaner
malwarebytes
superantispyware
spybot s&d
combofix

run; in safe mode; in this order
superantispyware
malwarebytes
rootrepeal
mgtools

run; in normal windows; in this order
superantispyware
malwarebytes
rootrepeal
mgtools

I have run at various times:
cwshredder
norton power eraser
rootkitbuster
ccleaner
hijackthis

nothing finds anything.
current av is microsoft security essentials, installing avira, will let that do a scan

i have loaded firefox in safemode, still redirects
I have uninstalled and reinstalled java.
I have not tried uninstalling firefox and internet explorer8 yet. (redirect happens in both)

other than nuking from space (its the only way to be sure) does anybody have any other suggestions?
Click to expand...

SAS, spybot and CCleaner aren't doing shit. Download GMER and try running that.
Post your Combofix log here (its located at C:\) and we can see if there are any clues as to what is going on.
Make sure you are following this guide for Combofix.
And here is GMER.

After that try running the Free ESET Online AV Scanner.

There are only a few "possible" problems in your hijack this log:

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

--Unnecessary (deactivated) entry that can be fixed. LinkScannerIE.dll - LinkScanner, http ://linkscanner.explabs.com/linkscann er/default.asp

Also do me a favor and check the following path:
C:\ProgramFiles\Ad-Aware\
Does this folder exist?
If so then the folder that contains:
D:\System Apps\Security Tools\Ad-Aware\aawservice.exe
Could possibly be infected as this is not the normal location for this service.

Could you please clarify how your hard drives are setup?
 
Last edited:
bearax said:
I checked and is absolutely nothing in the temp internet folder. if its hidden.. !
Click to expand...
Yes the content.ie5 folder is there, you just can't see it. I just type in the path of that folder manually....since I do it so often I find manually drilling into hidden folders is better than putzing aroud with the "show" values.
 
Shadowssong said:
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
Click to expand...

I thought that looked a little sketchy....should I select it and hit "fix"?

Shadowssong said:
--Unnecessary (deactivated) entry that can be fixed. LinkScannerIE.dll - LinkScanner, http ://linkscanner.explabs.com/linkscann er/default.asp

Also do me a favor and check the following path:
C:\ProgramFiles\Ad-Aware\
Does this folder exist?
If so then the folder that contains:
D:\System Apps\Security Tools\Ad-Aware\aawservice.exe
Could possibly be infected as this is not the normal location for this service.

Could you please clarify how your hard drives are setup?
Click to expand...

drives are:
C:\ (system drive)
D:\ (this is where install my programs) the D:\system apps\security tools\ad-aware is where I did install ad-aware. I tend to not install apps (especially av/a-malware etc) to default directories because I read a while back that it MAY be better to install in a non-default directory because some viruses targeted AV default dirs. shrug..it made sense at the time. :D
E:\ (storage)
 
so when I ran norton power eraser it came up with one file that was suspicious, dbcc.sys. I googled it and didn't find anything at all about it. I just ran gmer and its initial startup scan shows the following:
Type..................Name............................Value
AttachedDevice...\FileSystems\Ntfs\Ntfs...SiWinacc.sys [Windows Accelerator Driver/Silicon Image,Inc.]
AttachedDevice \FileSystems\Fastfat\Fat SiWinacc.sys [Windows Accelerator Driver/Silicon Image,Inc.]
AND...
AttachedDevice...\Driver\Tcpip\Device\Tcp...dbcc.sys

is this anything??
 
That BHO is legit, it is part of AVGToolbar.
http://www.systemlookup.com/CLSID/39866-LinkScannerIE_dll_avgssie_dll_avgssiea_dll.html

Though my guess is that you have uninstalled or deactivated the toolbar and this BHO is just a fragment left over that didn't get removed.

Systemlookup is the former-castlecops database.


You seem like you are a bit over your head and may want to get some help from a professional malware removal forum (still free, but staffed by heavily trained volunteers).

Some examples are:
www.geekstogo.com
www.bleepingcomputer.com
www.spywareinfoforum.com
etc.

These people live for fun ones like this. Additionally, programs like combofix and other more powerful programs are written by members of these forums (in the case of combofix, it is written by a guy sUBs). So that if you have a nasty new variant, the files are sent to the program authors who then update their programs to help out others. So a little good comes out of it. :D

My guess is that could be part of it, removing a driver from the tcp/ip stack improperly can make things worse (infact it can break the TCP/IP stack). So it has to be done in a certain way.

Additionally, there maybe entries that LOOK legit but throw up flags for a trained malware remover.
 
i am having the same issue with 2 computers. they got "antimalware doctor" on them. i have done "everything" and it still redirects.
One computer I could just ghost (but I just did that 6 months ago), but the other one I would have to spend 5 hours reinstalling and configuring things on.
The real issue is between the chair and the keyboard since she somehow managed to get it on 2 computers.
 
so, NOD32 did the trick (or so it appears). After following several guides, thank you to everybody who posted suggestions a scan by NOD32 found, isolated, then eliminated the threat. Thank you YeOldeStonecat for the suggestion.

Two things to note...this is my very first virus and I have been playing with computers since 84'. It was a rootkit (Win32/Rootkit.Agent.NRO trojan) disguised as that dbcc.sys file. Both Norton Power Eraser and MGtools said it looked "suspicious" but I could find nothing on dbcc.sys when I googled it so I was wary to just delete it. NOD32 just said this bad...disabled it and rebooted my machine.

The other thing is...I not 100% sure where I got this virus. I was doing two things at the same time so it had to be one or the other. I did a google image search for "yoda clipart" as I loaded a pdf from a client off my usb drive. FWIW The pdf was generated by a Mac. I clicked an image search link for what appeared to be a kids coloring book site as the pdf was loading and bam..a java splash screen window BRIEFLY popped up and that was it. There was no user input asking to install or anything AT ALL. Now in either case there was no running, downloading, installing or clicking except on the initial search link and pdf (loaded into illustrator-not acrobat). I have NEVER had a virus before this because I don't do stupid sh*t(mostly), I update the OS, my browsers, and AV regularly. This thing just infected my machine and if I had blinked when the java window popped up I would have been clueless to where it came from. I also had that pdfjsc.de alert pop up shortly after all this hit the fan. MS-SE found and quarantined that though....perhaps it was a distraction...?

Anybody that is curious as testing if the site is infected...and I am NOT going back there to give you a proper link. I did a google image search set to line art for "yoda clip art" the infected (i think at least) search result link was titled "Yoda coloring pages" and was a full body profile shot of yoda leaning on a cane. the site was fun-with-pictures.com. Honestly I am a bit paranoid about even putting the usb drive back in my machine.

Ok...gonna wrap it up....just want to say thanks to everybody for their tips and suggestions. I give NOD32 two big thumbs up, and would suggest it for anybody who is having this issue.
 
Your best bet of avoiding more infections is to upgrade your OS to a more modern OS. I keep saying it over and over but XP is so old now that it is just being pummeled with exploits so your chances of being infected are much greater than if you ran Vista/Windows 7.

I could test that site on an XP VM if you wanted, I just installed it and updated everything.

Honestly sometimes you just can't avoid getting infected. Sometimes you just accidentally visit a site and a trojan dropper just plops that shit down in your system. It's something that happens to a lot of people and thats why there are so many tools to fight against it. If you are paranoid the sure fire solution is to reformat. It's good to do this because cleaning malware is never a 100% sure thing, but it can be damn close and in most cases the system does get clean. But again, if you can't shake the paranoia then just reformat.
 
Shadowssong said:
Your best bet of avoiding more infections is to upgrade your OS to a more modern OS. I keep saying it over and over but XP is so old now that it is just being pummeled with exploits so your chances of being infected are much greater than if you ran Vista/Windows 7.
Click to expand...
Yeah...I know. I am not a hold out, the software I use daily isn't compatible with vista/7. I know I could do XP mode but I have been too lazy to experiment with it. Sadly the machine I run daily at work is pretty ancient as well (athlon XP 2500+). No money for any sort of upgrades. blah

Shadowssong said:
I could test that site on an XP VM if you wanted, I just installed it and updated everything.
Click to expand...
If you don't mind....that would be kinda cool. I am rather curious as to what did it. I am actually hoping it is the PDF...so I can call my client and say your Mac is a virus carrier. I have repeated the search a few times and the picture/site in question always comes up.
 
You must log in or register to reply here.
Back
Top