Author Topic: urlseek  (Read 24530 times)

0 Members and 1 Guest are viewing this topic.

ehargett

  • Guest
urlseek
« on: July 17, 2012, 02:57:28 AM »
Some browser hijacker, "urlseek" is bothering me. LOL
I've run scans with both Avast Pro and Iobit's Advanced System Care, and even Iobit's Malware Fighter Pro, and this redirect malware keeps coming back, so I am thinking maybe it never left... It may have rode in on a toolbar I had installed, but I disabled it, ran scans, however I continue to get sent to a "urlseek" website randomly when clicking from within an email ( from as benign a website as Staples) or doing a simple browser search.

So, I'm attaching the log files requested in two separate posts.

I run an iMac running OS Lion that I partitioned to run Win7 via Bootcamp from part of the hard drive. I also have a 2TB external hard drive partitioned to Mac and Win, not that it seems necessary anymore since I seem to be able to access most files from either format of that drive regardless of what OS I am working under. So, if you see several different hard drives, that's why.

Anyway, I don't have this problem when using FF from within the Mac OS environment, but when I am using FF from Win7, I will periodically get redirected to the urlseek crap..

LMK what I need to do to completely get rid of this malware. I have not gotten any alerts from either Avast or Iobit that specifically address a "urlseek" re-directer.

Thanks,
Elizabeth

ehargett

  • Guest
Re: urlseek
« Reply #1 on: July 17, 2012, 02:58:23 AM »
And here's the Extras txt

Elizabeth

SafeSurf

  • Guest
Re: urlseek
« Reply #2 on: July 17, 2012, 11:45:44 AM »
Thank you for posting your logs.  I am going to refer you to our Certified Malware specialists, named Jeffce.  He will also review your logs and give you further instructions.  He will respond to you in this thread, so remember to check this thread daily.

Please do not make any further changes to your machine now that you have provided the logs.

IMPORTANT: If you are on a home network, disconnect the affected machine from the network.  Do not share a USB/flash drive with this affected machine.  Do not use this machine unless Jeffce or another malware removal specialist instructs you do to malware removal instructions; use a different machine to check email, sync your phone or other devices.

Let us know if you have any questions.  Thank you.

jeffce

  • Guest
Re: urlseek
« Reply #3 on: July 17, 2012, 02:28:03 PM »
Hi,

Let me look these over and I will return as quickly as I can.  :)

Are you aware that your computer is set to run on a proxy server??
« Last Edit: July 17, 2012, 02:30:11 PM by jeffce »

ehargett

  • Guest
Re: urlseek
« Reply #4 on: July 26, 2012, 07:18:27 PM »
No, I was unaware of any proxy server.
Sorry it's taken me a few days to get back. Been out of town, and will be going back out again in a few days, so I'd like this taken care of asap. No real rush, though I guess, since I can certainly address any issues when I get back.
However, have you had a chance to look over the logs, and tell me what is going on? The redirecting/ inability to search is getting more frequent, and I can't work. :(

Elizabeth
« Last Edit: July 26, 2012, 07:26:34 PM by ehargett »

ehargett

  • Guest
Re: urlseek
« Reply #5 on: August 07, 2012, 02:01:10 AM »
I am attaching new logs run today on this computer since it's been two weeks.
Please, notify Jeffce to disregard the previously posted logs, and to respond asap to my browser hijack issue. I am back in town, and can respond more quickly now.

Thanks,
Elizabeth

ehargett

  • Guest
Re: urlseek
« Reply #6 on: August 07, 2012, 02:02:22 AM »
ANd here's the new Extras file..

Elizabeth

jeffce

  • Guest
Re: urlseek
« Reply #7 on: August 07, 2012, 01:36:04 PM »
Hi,

Welcome back....let me look these over and I will get back with you as quickly as I can.  :)

jeffce

  • Guest
Re: urlseek
« Reply #8 on: August 09, 2012, 07:49:31 PM »
Hi,

Please download and run ERUNT (Emergency Recovery Utility NT).  This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.  **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

Code: [Select]
:Services

:OTL
PRC - [2012/05/26 12:04:52 | 000,913,792 | ---- | M] (IObit) -- C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe
PRC - [2012/01/09 20:17:44 | 000,821,592 | ---- | M] (IObit) -- C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe
MOD - [2012/05/24 10:45:42 | 000,138,112 | ---- | M] () -- C:\Program Files\IObit\Advanced SystemCare 5\ASCv5ExtMenu.dll
SRV - [2012/05/26 12:04:52 | 000,913,792 | ---- | M] (IObit) [Auto | Running] -- C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe -- (AdvancedSystemCareService5)
SRV - [2012/01/09 20:17:44 | 000,821,592 | ---- | M] (IObit) [Auto | Running] -- C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe -- (IMFservice)
DRV - [2012/07/05 13:53:38 | 000,019,832 | ---- | M] (IObit.com) [Kernel | On_Demand | Running] -- C:\Program Files\IObit\IObit Malware Fighter\Drivers\win7_x86\UrlFilter.sys -- (UrlFilter)
DRV - [2012/07/05 13:53:36 | 000,030,640 | ---- | M] (IObit.com) [Kernel | On_Demand | Running] -- C:\Program Files\IObit\IObit Malware Fighter\Drivers\win7_x86\RegFilter.sys -- (RegFilter)
DRV - [2012/01/05 18:07:20 | 000,020,336 | ---- | M] (IObit) [File_System | On_Demand | Running] -- C:\Program Files\IObit\IObit Malware Fighter\Drivers\win7_x86\FileMonitor.sys -- (FileMonitor)
DRV - [2011/03/16 18:59:38 | 000,032,672 | ---- | M] (IObit Information Technology) [File_System | Auto | Running] -- C:\Program Files\IObit\Protected Folder\pffilter.sys -- (PfFilter)
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2559647
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\.DEFAULT\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-18\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-3045708588-2119644354-3407544181-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = A0 E3 55 BA 55 1C CB 01  [binary data]
IE - HKU\S-1-5-21-3045708588-2119644354-3407544181-1001\..\URLSearchHook: {707db484-2428-402d-afb5-d85b387544c7} - No CLSID value found
IE - HKU\S-1-5-21-3045708588-2119644354-3407544181-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-3045708588-2119644354-3407544181-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1:9421;*.local;<local>
FF - HKLM\Software\MozillaPlugins\@mywebsearch.com/Plugin:  File not found
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
[2012/03/29 10:25:09 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
O2 - BHO: (Webblog) - {C3947F4E-8894-4C04-98E0-DF182C706DDF} - C:\Program Files\wbtooltb\wbtoolDx.dll ()
O3 - HKLM\..\Toolbar: (Webblog) - {C3947F4E-8894-4C04-98E0-DF182C706DDF} - C:\Program Files\wbtooltb\wbtoolDx.dll ()
O3 - HKU\S-1-5-21-3045708588-2119644354-3407544181-1001\..\Toolbar\WebBrowser: (no name) - {707DB484-2428-402D-AFB5-D85B387544C7} - No CLSID value found.
O3 - HKU\S-1-5-21-3045708588-2119644354-3407544181-1001\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [IObit Malware Fighter] C:\Program Files\IObit\IObit Malware Fighter\IMF.exe (IObit)
O4 - HKU\S-1-5-21-3045708588-2119644354-3407544181-1001..\Run: [Advanced SystemCare 5] C:\Program Files\IObit\Advanced SystemCare 5\ASCTray.exe (IObit)
O32 - AutoRun File - [2010/01/28 16:00:27 | 000,000,088 | ---- | M] () - F:\autorun.inf -- [ UDF ]
O33 - MountPoints2\{81032316-d5e6-11e1-a0d4-7c6d62935b09}\Shell - "" = AutoRun
O33 - MountPoints2\{81032316-d5e6-11e1-a0d4-7c6d62935b09}\Shell\AutoRun\command - "" = J:\MotoCastSetup.exe -a
O33 - MountPoints2\{b6287671-e599-11e0-85e5-7c6d62935b09}\Shell - "" = AutoRun
O33 - MountPoints2\{b6287671-e599-11e0-85e5-7c6d62935b09}\Shell\AutoRun\command - "" = K:\autorun.exe

:Files
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[resethosts]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
----------

ehargett

  • Guest
Re: urlseek
« Reply #9 on: August 09, 2012, 11:12:11 PM »
Jeffce,
I tried three times to run the OTL Fix, and each time it started killing processes, then stopped responding. :(
I manually disabled Iobit's programs and Avast, and tried to re-run the fix again, and it still stopped responding.

Let me know what else you would like for me to try.

Elizabeth

jeffce

  • Guest
Re: urlseek
« Reply #10 on: August 10, 2012, 03:57:25 AM »
Hi,

Let's break out the big boy.  :)

Download Combofix from the link below, and save it to your desktop. 
Link

**Note:  It is important that it is saved directly to your desktop**
 If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.


--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
    When finished, it will produce a report for you. 
  • Please post the C:\ComboFix.txt for further review.
----------

ehargett

  • Guest
Re: urlseek
« Reply #11 on: August 10, 2012, 04:20:28 AM »
I got the OTL fix to run, but am experiencing some really slow internet speeds. (speedtest came back 0.50/0.10 on my DSL), so i couldn't upload the txt file. Don't know if my internet speed timeouts are related to the hijacker issue we're working on, or if I just need a new router/modem. But, I'm working on a workaround to get the files uploaded, and I'm also having to troubleshoot the router/modem.
So, please, bear with me. :)
Elizabeth

jeffce

  • Guest
Re: urlseek
« Reply #12 on: August 10, 2012, 05:19:28 PM »
No problem.  :)

ehargett

  • Guest
Re: urlseek
« Reply #13 on: August 10, 2012, 05:19:54 PM »
Here's the OTL txt; I will run the combo fix in a bit.

BTW, my scheduled scan ran last night and came back with w JSReloader trojan(?) so I deleted it, and let a boot time scan run.. Sorry if that screws up the results the of the OTL txt. I can re-run it again if you'd like.

Elizabeth

ehargett

  • Guest
Re: urlseek
« Reply #14 on: August 11, 2012, 02:54:08 PM »
Ugh! Combofix won't run.
I've been running as administrator each time, and it gets hung up on the blue screen where it says " Scanning for infected files... Etc."  I've let it sit undisturbed now three times......for a couple hours each time. When i come back to check on it, nothing has changed, and the program Is unresponsive.
Did the otl show anything?