Search Engine re-direct BUG sends users to misc pages ...aaaaaaak! Help.

[dleske]

Avast is not picking up on a virus or Trojan on my computer, when I use any type of search engine their results pop up ok.... but then when I click on ANY of the results on their search list the page is redirected to eBay or another search engine etc...sometimes just oddball pages. Anyone heard of this and is their a fix???

THANKS in advance,
Don in Tacoma

[Lisandro]

Specially step 6 is important in your case:

1. Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it's not available in Windows 2k. After boot you can enable System Restore again after step 3).

2. Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.

3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

4. It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

5. If you still detecting any strange behavior or even you're sure you're not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG, Panda and/or F-Secure BlackLight.

6. Also, if you still detecting strange behaviors or you want to be sure you're clean, maybe making a HijackThis log to post here and, specially, scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.

7. After you're clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

8. Finally, when you're clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.

[DavidR]

Avast is not picking up on a virus or Trojan on my computer, when I use any type of search engine their results pop up ok.... but then when I click on ANY of the results on their search list the page is redirected to eBay or another search engine etc...sometimes just oddball pages. Anyone heard of this and is their a fix???

Sounds more like browser hijack or possibly a HOSTS file redirect and not a virus or trojan.

Try the anti-spyware tools Tech mentions and check the C:\Windows\HOSTS file using notepad or other text editor, there may be entries for the search engine domains.

If that doesn't resolve it HiJackThis in Tech's step 6.

[dleske]

Hello again... Still having same problems, so here is my HijackThis log:
Thanks for looking.
-Don


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:21:03 AM, on 7/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.1\masqform.exe /RegServer -UpdateCurrentUser
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{9A583112-7997-4750-807A-DBAD1184300C}: NameServer = 85.255.113.106,85.255.112.167
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD93F7D1-4D0B-445B-AE0A-2F2268F522D6}: NameServer = 85.255.113.106,85.255.112.167
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.106 85.255.112.167
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.106 85.255.112.167
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 5299 bytes

[DavidR]

Other than the O17 entries I don't see anything obvious and this usually is associated with your ISP (85.255.112.167 and 85.255.113.106 = inhoster.com), is that associated with your ISP ?

O17 - HKLM\System\CCS\Services\Tcpip\..\{9A583112-7997-4750-807A-DBAD1184300C}: NameServer = 85.255.113.106,85.255.112.167
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD93F7D1-4D0B-445B-AE0A-2F2268F522D6}: NameServer = 85.255.113.106,85.255.112.167
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.106 85.255.112.167
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.106 85.255.112.167

You don't appear to have an active firewall ?

Did you check your HOSTS file as I suggested ?

[mauserme]

Those 017's look like a wareout infection.

[polonus]

Hi mauserme,

If it is Wareout this tool can be used to remove it. It can be downloaded here:
http://downloads.subratam.org/Fixwareout.exe

polonus

[DavidR]

Those 017's look like a wareout infection.

Do you mean just the first two with the {CLSID} effectively piggy backing a ride on the probably legit O17 entries ?

[polonus]

Hi dleske,

On this page you see the instructions to use FixWareout: http://www.bleepingcomputer.com/forums/topic76554.html
Mauserme confirmed this in his PM.

polonus

[dleske]

Hi guys!

In my C:/ I cannot find a /HOSTS file whatsoever. I also checked hidden files.   

HOWEVER.., thank you for the tip about FixWareout.exe ... I will do that now!

Best regards,
-Don

[mauserme]

[Do you mean just the first two with the {CLSID} effectively piggy backing a ride on the probably legit O17 entries ?

Its actually the IPs in the lines rather the the CLSIDs. 

I would have a look at the FixWareOut log and, assuming there are positive detections and fixes made, then fix all the 017's in HJT and get a fresh HJT log. 

[Lisandro]

I wish you've posted this before... I have just a nightmare trying to clean infections like this one in a computer of a friend of mine. Living and learning: O17 entries and Wareout infection.

[Lisandro]

Then fix all the 017's in HJT and get a fresh HJT log.

How can we do that...? The infection comes back all the time...

[mauserme]

Sorry Tech - I didn't know.

Not all 017's are bad - check the IPs for 85.255... (its an indication, not a guarantee, of infection).

FixWareOut will show detections in the log if any are found and ComboFix is also effective against this now.  After fixing the lines in HJT you need a fresh log to see if any 04 lines have unusual entries because there is a version that will try to rename itself on reboot and re-establish the infection.  Some are rooted, too.

BTW, this is not the initial indication I saw but a probable confirmation:  The IPs are in the Ukraine while dleske's profile shows he is in Washington state.

[dleske]

Ok..,

1. Below is the Log File from using the fixware program. I hope it helps.
2. ...do I need to fix the 017's and get a fresh HJT Log? If so please instruct. SO FAR the fix seems to have worked I think.., since I have done a search and it no longer "re-directes" me to a bogus page.
3. Do I need to delete the fixware program or any of the other reg/fix programs, once  used?
Your assistance is invaluable, let me know if there is any way I can show my appreciation ok.  
Thanks,
-Don
####################################################################

Username "Don" - 2007-07-16 10:51:13 [Fixwareout edited 2007/07/05]

»»»»»Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdrdj.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.113.106 85.255.112.167" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{9A583112-7997-4750-807A-DBAD1184300C}
"nameserver"="85.255.113.106,85.255.112.167" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{CD93F7D1-4D0B-445B-AE0A-2F2268F522D6}
"nameserver"="85.255.113.106,85.255.112.167" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{6FC1E0A7-310E-4BCD-A604-55AD04EBBCB1}
"DhcpNameServer"="85.255.113.106,85.255.112.167" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{9A583112-7997-4750-807A-DBAD1184300C}
"DhcpNameServer"="85.255.113.106,85.255.112.167" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.
 
»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....
»»»»» Other
C:\WINDOWS\Temp\kdrdj.ren 66520 08/04/2004

»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DeviceDiscovery"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpotdd01.exe"
"masqform.exe"="C:\\Program Files\\PureEdge\\Viewer 6.1\\masqform.exe /RegServer -UpdateCurrentUser"
"ControlCenter2.0"="C:\\Program Files\\Brother\\ControlCenter2\\brctrcen.exe /autorun"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»

###################################################

If you work for Avast ... I would be glad to pay the upgrade.
Thanks,
-Don