Request for help: Adware link redirect

Discussion in 'Malware Help (A Specialist Will Reply)' started by 1GoodTurn, Jan 21, 2007.

  1. 1GoodTurn

    1GoodTurn Private E-2

    Dear Malware Expert (or some facsimile thereof),
    I am hoping someone might advise me on this rather stubborn adware problem before I resort to a full wipe.

    Problem:
    Using Windows XP, DSL, IE, search engine results/links on Google, MSN, etc. frequently redirect to various advertising sites (with "related" links based on my search). Looks like a forced quick timeout then redirect. Happens on a few of the more popular results, not all. Does not happen on exact same sites/links on my other computer. Have seen other people with this problem at various forums but either there is no effective solution suggested or the solution is very particular to their case. Here's my particular case...

    Have taken the following action thus far:
    1. Tried the usual Spybot & Ad-Aware scans to no avail.

    2. Followed the (Updated) Malware Removal Guide [chaslang 9 Oct 05] and the HJT Tutorial [Major Attitude 1 Aug 04] pretty much to the letter - logs to be attached.
    A probable "Bad" malware was detected by at least one application (and eliminated), as well as less harmful ones (some buried cookie and old Kazaa-lite). On the first round in IE the adware seemed to be gone, but came back soon - may have been confused being offline. Problem was still there.
    I HAVE NOT eliminated HJT resultant questionable files - I'm hoping for advice here.

    3. Also tried activating IE while disconnected to test the "confusion" theory - no effect. Downloaded Internet Explorer 7 and installed. Still have the problem (with and without MS Phishing protection).

    4. Side-problem: With all the above, IE loads slowly (both versions did) and Amazon sites take an inordinate amount of time, although NewEgg and others work ok.

    Suggestions appreciated. Logs attached (I hope) and following.
     

    Attached Files:

    1GoodTurn, Jan 21, 2007
    #1
  2. 1GoodTurn

    1GoodTurn Private E-2

    More for: Request for help: Adware link redirect

    2 More Attachments

    Regarding HJT results:
    Most everything in the C:\windows\system32 seem old (circa 2004)

    The R1's and 1st R3 looks like an Earthlink files, but this one is questionable V
    R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    R0 - I don't actually find "BLANK.HTM" in that directory

    ------------------
    I did add two Java updates recently (one for this exercise).

    Thanks in advance.

    PS I removed the CounterSpy since it was going to expire soon and thought it might speed things up (it kept activating itself on start-up).
     

    Attached Files:

    1GoodTurn, Jan 22, 2007
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: More for: Request for help: Adware link redirect

    Welcome to Majorgeeks!

    Why didn't you attach the log from CounterSpy?

    Note: You did not download the and use the current versions of GetRunKey and ShowNew. Where did you get your copies from? Or perhaps I should say when did you last download them. You must always make sure you are using current versions of all programs.

    Uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 9
    Java 2 Runtime Environment Standard Edition v1.3.0_03
    Java(TM) SE Runtime Environment 6
    KaZaA Lite 2.0.0 <-- should have been uninstalled in step 0 of the READ ME
    Viewpoint Media Player (Remove Only) <-- should have been uninstalled in step 0 of the READ ME

    Make sure you reboot after uninstalling the above!

    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment


    Now follow this procedure WareOut Removal and attach the requested log when finished.


    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O17 - HKLM\System\CCS\Services\Tcpip\..\{AFC10330-1017-4740-B175-F3CC33755167}: NameServer = 85.255.113.116,85.255.112.80
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.116 85.255.112.80
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.116 85.255.112.80
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.116 85.255.112.80

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\My Documents\My Music\KaZaA Lite <--- the whole folder

    Assuming you uninstalled CounterSpy then delete the below 2 folder too which will not be removed:
    C:\Documents and Settings\mark\Application Data\Sunbelt Software
    C:\Program Files\Sunbelt Software

    Now run Ccleaner.

    Now reboot in normal mode

    Now attach the a new HJT log.

    Make sure you tell me how things are working now!
     
    chaslang, Jan 22, 2007
    #3
  4. 1GoodTurn

    1GoodTurn Private E-2

    chaslang,

    Ah hah. The redirect action has stopped. Tested it out over a few reboots, screen openings and different users. Thank you for all the advice.

    Felt guilty about the CounterSpy log (probably lost it on the program removal), so I reloaded the program and ran it into the wee hours of the morning. It found a pair of trojans and Kazaa - see log. Deleted them and the first folder per your instructions (i.e. HJT stuff too) but kept the Sunbelt folders. Please check and advise if anything new is on HJT log that should go. (Cleaning out programs is satisfying - like a good defrag....)

    FYI - The GetRunKey and ShowNew programs were downloaded in late (20?) Dec 06 via your 9 Oct 05 messsage links. I downloaded the same programs last night but they appeared to be the same size (how can you tell if you have the "latest version" on an exe/bat file?).

    Apologies for the long delay before responding - lost what was written last night when IE froze up. Apparently, possibly as a result of the IE 7 program or CounterSpy action, MusicMatch Jukebox won't start up, but this attempt also jams up the IE windows. I was leaning towards iTunes but I'd like to fix it if you know what's going on.

    Once again, thanks for your aid.
    Mark
     

    Attached Files:

    1GoodTurn, Jan 23, 2007
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    First you must always check to see if you have the version mentioned on the download pages. They are small enough to just redownload and they do change fairly often. You can see the version information at the top of the .bat files by loading them into an editor or you can just look at the top of the logs created. Look at the ones you post. The current versions that you should have are:
    • GetRunKey V 1.54
    • ShowNew V 0.28
    You HJT log is clean! Are you having any more malware problems? If not, uninstall CounterSpy again and continue on to the below.

    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    8. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    chaslang, Jan 24, 2007
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds