browser hijacking problem

I'm getting intermittently hijacked when clicking on Google search results. I have searched but I'm not finding the solution. The problem was first noticed to have occurred on July 8, just over a month ago.

Whatever malware is present is eluding detection from my current protection. I'm using AVG Free, Spybot, SpywareBlaster, and SUPERAntiSpyware Free. I'm using Firefox, and it's a 64-bit Windows 7 system.

I've run the procedures in the Fixing Google Redirection and Read & Run Me First threads, and it appears something was found, at least in RogueKiller. It wasn't clear to me how to handle the RK results, so I just closed out the results window without taking any action on the files it found.

The requested RK, MBAM, HitmanPro, and MGtools logs should be attached to a following post.

Thanks for your time,

Tony

 

Please find attached RK, MBAM, HitmanPro and MGtools.zip files.

Thanks for your time,

Tony

 

Hello Tony,

http://img850.imageshack.us/img850/4746/programsandfeatureswin7.gif From Programs and Features (via Control Panel), please uninstall the below:

• Java(TM) 6 Update 32

__

http://img684.imageshack.us/img684/6489/aswmbr.gif Please download aswMBR to your desktop.

• Double-click aswMBR.exe to run (Vista/7 right-click and select Run as Administrator)
• Select Yes when asked "Would you like to download latest Avast! virus definitions?"
• Click the [Scan] button.
• On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach)

__

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop.
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  activex
  netsvcs
  %windir%\system32\drivers\*.sys /lockedfiles
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

Thanks thisisu,

Performed steps as requested. One issue, I had a bluescreen shutdown while running the aswMBR scan. In case it's of any use, the info provided after restarting is attached. A second attempt running aswMBR scan ran with no problem, and the OTL scan ran with no problem.

Logs are attached, thanks for your time!

 

C:\Windows\Minidump\081312-33945-01.dmp <== Can you .zip and attach this log to your next message?

Reviewing the rest of your logs now.

 

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
@Alternate Data Stream - 135 bytes -> C:\ProgramData\TEMP:3F30E778
@Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP:838D4792
@Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:69E87FA2
@Alternate Data Stream - 118 bytes -> C:\ProgramData\TEMP:DEDD192D
@Alternate Data Stream - 116 bytes -> C:\ProgramData\TEMP:493B3641
@Alternate Data Stream - 114 bytes -> C:\ProgramData\TEMP:12B8C802
@Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:5C321E34
[COLOR="DarkRed"]:commands[/COLOR]
[resethosts]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

__

Let me know which browsers you are still experiencing redirects in after completing the above.

 

here's the minidump file, OTL to follow. Thanks thisisu -

 

here's the OTL Fix log -

I've got to get off the computer for now, but I'll be back on it this afternoon and watch for browser redirects. Thanks thisisu -

 

Finished reviewing your BSOD log. aswMBR driver caused the crash. Some of these anti-rootkit tools just aren't compatible with all systems. I don't think you have anything to worry about though regarding this BSOD.

Whenever you get a chance let me know if the redirects persist but also let me know which browsers they still persist in.

 

Thanks thisisu,

I am still getting intermittent redirects using Firefox. I've gotten 2 redirects out of about a couple of dozen searches. I've tried IE9 and Chrome, and so far no redirects using either. I'll try to keep using them and let you know if I get any -

 

No problem.

Please rescan with OTL using the same manual scan options as you previously did.

Then attach the latest OTL.txt.

You could uninstall Firefox and reinstall it if you wish and that is what we may end up needing to do. Your call, I just want to see if OTL.txt reveals any problems in its FireFox section.

 

Hi thisisu,

Just rescanned with OTL, log is attached.

I'll hold off on uninstalling Firefox for now, but no problem when you give the word.

Thanks again for your time

 

This should do the trick.

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:processes[/COLOR]
killallprocesses
[COLOR="DarkRed"]:otl[/COLOR]
[2012/03/30 18:25:05 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\Tony_2\AppData\Roaming\mozilla\Firefox\Profiles\7b10z27t.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2012/07/08 19:49:05 | 000,000,000 | ---D | M] (Mozilla Safe Browsing) -- C:\USERS\TONY_2\APPDATA\LOCAL\{66C28BD8-C957-11E1-8270-B8AC6F996F26}
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{66C28BD8-C957-11E1-8270-B8AC6F996F26}: C:\Users\Tony_2\AppData\Local\{66C28BD8-C957-11E1-8270-B8AC6F996F26}\ [2012/07/08 19:49:05 | 000,000,000 | ---D | M]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

 

It didn't like that much

Copied & pasted custom fixes, ran fix. Appeared to hang at "Processing [2012/03/30 18:25:05 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\Tony_2\AppData\Roaming\mozilla\Firefox\Profiles\..."

Tried opening Task Manager to see what was going on; right clicked taskbar, clicked Start Task manager. That window closed, but Task Manager never opened. Further attempts to right click taskbar had no result - no window popped up. Cursor responds normally, but neither right nor left clicking on anything has any response. Ctrl+Alt+Delete resulted in BSOD with message "SYSTEM SERVICE EXCEPTION". I've attached the problem details from the unexpected shutdown message window.

I figured I'd check back before attempting another fix run. Let me know if we want to just uninstall/reinstall Firefox, or go after it again. Thanks again for your time thisisu -

 

I just realized you might want this, here's the minidump file -

 

Hi, go ahead and uninstal and reinstall FireFox and let me know if that takes care of the problem.

 

done - so far so good... I'll check back in and let you know how it looks