Google Hijack and related issue, assistance sought after first taking required steps

(Windows 7 Home Premium, upgraded from Vista)

1 - My Google search results are being hijacked to other sites in exactly the manner described widely elsewhere. Copy/pasting the link directly opens the correct site, though on about one occasion in ten a link does work properly.

2 - I have a further problem which I believe to be directly related, namely:

Following startup I am notified that I have an important message, which is to turn on Windows Security Centre service. That message is clickable and I believe should open the appropriate interface to do that, however when I click it I get a popup that says "The Windows Security Centre Can't Be Started".

When I then open Services manually the Security Centre service is shown as disabled and I reset that to Automatic. On apply/okaying and backing out, the warning has disappeared and remains so unless I reboot, or for a while if continuing (Google still being redirected), or until I next use the computer when once again the warning appears and the service is found to be disabled again.

I assumed that the virus that is hijacking Googlesearch links has/is also neutralising protection that might stop it from doing so.


***********


Before coming across reports that this is a more significant matter than I had known I Initially ran Malwarebytes and Superantispyware, and later TDSSKiller following a comment read elsewhere, all with no findings/threats.

I subsequently found this forum, and have now followed all the steps in the sticky on hijacked Google searches. I have produced all the logs requested, and would greatly appreciate expert assistance to clean my system.

The following has a bearing:

Combofix/AVG Free
- I noted the requirement to uninstal AVG before running Combofix, and did so using the required uninstaller not via Contro Panel or uninstal link.
- Manually removed debris from Program Files, Program Data, and User>"name">App data>roaming. Hadn't expected to find any.
- Combofix reported AVG antivirus and antispyware still running.
- Ran AVG uninstaller again twice more, Combofix still found those services running.
- Installed AVG again to repair/overwrite/absorb anything remaining, hopefully in order to uninstall all.
- Uninstalled using uninstaller.
- Combofix still found same two services present.
(system rebooted as appropriate during cleans, uninstalls etc)
- Did registry search, found a number of keys/entries with "AVG" in the label-string with/between other letters and numbers, such as "AGVIDSFilter", LEGACY_AGVIDSSH and others, but I am not familiar with registry matters sufficient to know if these are coincidental or related. None were deleted or altered.

I therefore elected to let Combofix run anyway as I couldn't do anything further to clear its way, hoping that some of its output might nevertheless be useful. It ran without interruption. The attached log therefore relates to a system that believes AVG is completely uninstalled but which Combofix disagrees with to some degree.

Root Repeal:
Won't initialise, failure reports "Attempting to write to address 0x0137c000" and then same for address 0x6dc3b9fe. Downloaded again and retried, same result.

MGTools:
Ran but did not produce a log. On running a second time I noted a line stating "Could not create output file C:\MGlog.zip", so I copied the cmd window report/text in to a Word document which is attached in the absence of MG output.

I noted two MG misc info files, and not knowing whether these relate to any defficiency in MG function or its findings I am enclosing those also in case they add anything.


*************

Attached/Following:

GooredFix
TDSS Scan
MBRCheck
Defogger

SAS log
mbam log
Combofix log
Root Repeal report

MGTools log
MGTools miscinfo
MGTools miscinfo2

 

Re: Google Hijack and related issue, assistance sought after first taking required st

Further logs

 

Re: Google Hijack and related issue, assistance sought after first taking required st

Final logs

 

Re: Google Hijack and related issue, assistance sought after first taking required st

Hi and welcome to Major Geeks, hannay!

http://img7.imageshack.us/img7/2461/sase.gif You ran a much older version of SAS. The latest version is 5.0.1142. Get it from here and run another complete scan before proceeding.

http://img196.imageshack.us/img196/3557/tdsskiller.gif I'd also like you to update TDSSKiller and run another scan using the parameters outlined here.

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop. (Vista/7 right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  netsvcs
  /md5start
  afd.sys
  atapi.sys
  csrss.exe
  dhcpcsvc.dll
  explorer.exe
  lsass.exe
  nsiproxy.sys
  regedit.exe
  services.exe
  svchost.exe
  tcpip.sys
  tdx.sys
  userinit.exe
  winlogon.exe
  /md5stop
  %systemdrive%\*.*
  %systemdrive%\MGtools\*.*
  %windir%\system32\*.sys /90
  %windir%\* /lockedfiles
  %windir%\system32\drivers\*.sys /lockedfiles
  %windir%\assembly\GAC\*.ini
  %windir%\assembly\GAC_MSIL\*.ini
  %windir%\assembly\gac_32\*.ini
  %windir%\assembly\gac_64\*.ini
  %windir%\assembly\temp\*.ini
  %windir%\assembly\tmp\u /s
  %allusersprofile%\application data\*.exe
  hklm\system\currentcontrolset\services\dhcp
  hklm\system\currentcontrolset\services\afd
  hklm\system\currentcontrolset\services\tdx
  hklm\system\currentcontrolset\services\tcpip
  hklm\system\currentcontrolset\services\nsiproxy
  hklm\software\microsoft\windows\currentversion\run
  hklm\software\microsoft\windows\currentversion\runonce
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Attach both OTL.txt and Extras.txt to your next message. (How to attach)

 

Re: Google Hijack and related issue, assistance sought after first taking required st

Hello and thank you, Thisisu.

My apologies regarding SAS - I already had it installed and believed it to be current via auto-updating.

I have now run the current SAS and also the updated TDSSKiller, both reporting no infections.

 

Re: Google Hijack and related issue, assistance sought after first taking required st

No problem.

http://img805.imageshack.us/img805/9659/rktigzy.gif Please download RogueKiller to your desktop.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
When it is finished, there will be a log on your desktop called: RKreport[1].txt
Attach RKreport[1].txt to your next message. (How to attach)

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:processes[/COLOR]
killallprocesses
[COLOR="DarkRed"]:otl[/COLOR]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bigseekpro.com/howfytdl/{E6566178-5D90-485C-B41F-0E19EB5B0FA1}
FF - prefs.js..browser.search.defaultenginename: "MyStart Search"
FF - prefs.js..browser.search.selectedEngine: "MyStart Search"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}:6.0.25
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26
FF - prefs.js..keyword.URL: "http://mystart.incredimail.com/?loc=ff_address_bar&a=19emgPWjr2U&search="
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[2012/01/23 16:23:41 | 000,126,976 | RHS- | C] () -- C:\Windows\System32\C_1256G.dll
[2012/01/23 16:23:41 | 000,000,296 | ---- | C] () -- C:\Windows\tasks\ZJEUWRWROJ.job
[COLOR="DarkRed"]:files[/COLOR]
net stop winmgmt /y /c
del /f/q/s %windir%\system32\wbem\repository\*.* /c
dir "C:\Users\rd\Desktop\First scans and logs\" /c
[COLOR="DarkRed"]:commands[/COLOR]
[purity]
[emptyjava]
[emptyflash]
[resethosts]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

http://img600.imageshack.us/img600/2693/mgtools.gif Now download the latest MGtools.exe to the root of your c: drive.

• Replace your existing MGtools.exe with this one.
• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

Let me know how the system is running after you have completed the above steps.

 

Re: Google Hijack and related issue, assistance sought after first taking required st

In the couple of hours or so since completing these steps there has been no further incidence of Google search links being redirected.

- The system generally is a little laggy now in its inputs and responses however, opening files, operating GUIs, moving through websites/click-throughs, that kind of thing.

- It is certainly taking longer to boot, close-around 1:48 just to get to the desktop, and just over a minute more for the processes to complete so files/programs can be accessed/opened without a long delay between clicking the icon and something happening. Previously this was taking 65 seconds to get all the way. I have checked startup launches and there is no bloat in there, just what I set with the exception of AVG which I have yet to reinstall and which I do want from startup.

- The first couple of times I rebooted to check after completing these steps I was still having the same problem of not being able to turn Security Centre services on and have it stay on. With every reboot it still threw up a warning to do so even though I had previously set it to Automatic via services.msc. However, within literally the last few minutes the warning message changed and was now advising me to turn Defender on. I have done this and have also checked Security Centre service and found it now to be set to Automatic. I have rebooted twice since and it has remained set to Auto, and whilst there is still a warning it is only to install a suitable antivirus asap as AVG is no longer present. Understandably, I am keen not to leave the system unprotected longer than is appropriate anyway.

It appears on the surface that the issues relating to search-redirects and to the Security Centre service have been addressed, though the logs will tell their own story I am sure. Should that turn out to be the case under the surface as well however, I would now be very keen to see whether there is some further cleaning-out or re-adjustment that can be done which would restore the zippier performance that appears to have been a casualty just now and presumably can therefore be restored.

In any event however, grateful thanks for returning searches to proper functioning. A non-performing search capacity is a far greater problem than might first be thought!

 

Re: Google Hijack and related issue, assistance sought after first taking required st

Your latest logs are clean

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

After you complete the above: I would recommend you also review the following: Dealing with Startup Processes.

Be safe

 

Re: Google Hijack and related issue, assistance sought after first taking required st

I had to be away for business last Friday and across the weekend at no real notice, and have returned only late this afternoon and I have been dealing with waiting messages and more.

But although regrettably belated I do want to be sure to say thank you most sincerely for the great help dealing with my problem. Although it is hardly any test at all the system has been stable this afternoon which is the first time I have used it since your guidance.

I will work through the further links that you recommend, and hopefully in future will avoid as much as is reasonably possible to sidestep as a result.

Again, very many thanks indeed!

Hannay

 

Re: Google Hijack and related issue, assistance sought after first taking required st

You're welcome, Hannay.

Take your time