NEW Search Engine Redirect Virus/Malware

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by esl537, May 30, 2010.

  1. esl537

    esl537 Private E-2

    hello,

    i need help. i've had the search engine redirect virus since tuesday may 18th, 2010. since that time, i have done a lot of research on the web and tried many different suggested solutions without any success. part of my research suggests that the redirect virus in general is not a new problem, since i have seen posts about this very problem dating back to early 2009. the reason why i call this "NEW" is b/c none of the previous fixes seem to work against this one, including the steps that have been outlined in this forum: http://forums.majorgeeks.com/showthread.php?t=139313

    just a last bit of context before i get o the results so far: i have tried 2 different browsers (IE and chrome) and tried 3 different search engines (google, yahoo, bing) and they all have this issue. the problem seems to be that when i type in something to search and get the results back, 1 of 2 things will happen when i click on the links that are displayed. either i will get redirected to some random site, typically ads or bogus sites. or, the very first link i click (doesn't have to be the top hit) will be fine. but when i click back and then select a different link from the same set of search results, i will get redirected. and this behavior does not seem deterministic. from one day to the next i can type the exact same thing into the exact same search engine and the exact same browser and sometimes result 1 will happen and sometimes result 2 happens.

    anyways, so i followed the steps in the above link and ran all the tools and collected the logfiles. for the most part, the tools ran w/o problems. meaning, i didn't have trouble downloading, installing them and running them with one exception.

    the only tool that did not work was combofix. i tried this a couple of times thinking maybe i did something wrong at first but i am pretty sure now that i followed all the steps and it just doesn't work. the symptom is that it BSODs during the "scan should take less than 10 minutes" stage. so i do not have a logfile for that. but i do for all the others. the logfiles in general will show that some things were detected and i removed them accordingly. however, i still have the redirect issue. also, it seems that some services are a bit flaky now- for example, the "themes" services no longer works and so my XP window themes does not work. i have not gone fishing around to see what else doesn't work or how to fix what is broken b/c at least they don't seem to be inhibiting usage of the computer. i figure i can fix those later. but thought i would mention it in case this was useful information.

    the logfiles/zip is attached. i know it is long weekend, but i would greatly appreciate any help that can be provided.

    thanks,
    edward
     

    Attached Files:

    esl537, May 30, 2010
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please first try this:

    * Please download TDSSKiller to your Desktop
    * Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
    * Click Start > Run and copy/paste the following bold command into Run box and hit Enter.

    "%userprofile%\Desktop\TDSSKiller.exe" -v

    * Follow the instructions to type in "delete" when it asks you what to do when if finds something.
    * When done, a log file should be created on your C: drive named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply.

    Also, please run this: GMER - running with a random name and attach the log from GMER.
     
    TimW, May 30, 2010
    #2
  3. esl537

    esl537 Private E-2

    thanks for writing back so quickly.

    ironically, i had previously run tdsskiller.exe before to no avail, meaning it didn't fix anything, though it did not crash. but i ran it again just now to be sure. still didn't have any affect, though it did run. logfile is attached.

    i also ran GMER. it seemed to find something but then my whole system crashed (after i saved the logfile). when i got back in, all my internet services were jacked. so i spent some time fixing that. i'm back now, as you can see. logfile of GMER is attached as well.

    keep throwing suggestions out.
    thanks, edward


     

    Attached Files:

    esl537, May 30, 2010
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Now please download SystemLook from one of the links below and save it to your Desktop.

    Download Mirror #1


    Download Mirror #2

    • Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as administartor)
    • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
    • Copy and Paste the content of the following codebox into the main textfield under "File":

    Code:
    :filefind
atapi.sys
    • Please Confirm everything is copied and Pasted as I have provided above
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. You can close this notepad window as the log will already be saved as SystemLook.txt on your Desktop ( if you downloaded and ran SystemLook to your Desktop as requested ).
    • Please attach this log in your next reply.

    Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task.
     
    TimW, May 30, 2010
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let me give you a possible fix since I am about to log off:

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::
TDL::
C:\WINDOWS\system32\drivers\atapi.sys
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Attach the new ComboFix log.
     
    TimW, May 30, 2010
    #5
  6. esl537

    esl537 Private E-2

    logfile is attached.

    keep it coming,
    edward

     

    Attached Files:

    esl537, May 30, 2010
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    See my last post made while you were away.
     
    TimW, May 30, 2010
    #7
  8. esl537

    esl537 Private E-2

    sorry, didn't see your post.

    anyways, i tried the new combofix suggestion but that did not work. same symptoms as before- i get a BSOD. i tried this a couple of times and it was the same result each time.

    and i'm pretty sure i have all of the AV and malware stuff turned off b/c one of the times when i forgot to turn off my mcafee, running combofix gave me a specific error stating as such. all the other times, i never got that error.

    i will note, however, that i only use the built-in windows firewall. i tried turning that off but i was not able to. when i tried to start the service that controls the firewall, windows crapped out on me. as i previously mentioned, many services seem to be acting crazy on the computer now, which was never the case before i started running SAS, MBAM, etc. this is to say that whatever redirect virus is on the computer did not appear to affect those services before i started trying to get rid of it.

    any other suggestions?

    oh, had one question. i was reading this thread:
    http://forums.majorgeeks.com/showthread.php?t=208539
    and in it, "the avenger" was suggested. should i try this? and if so, how should i configure it to run for my machine- the post seems to suggest that running avenger should be done in a customized manner...

    thanks, edward

     
    esl537, May 30, 2010
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    We can try replacing the file using Avenger.

    First I want you to use windows explorer to find this file:
    C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys --> right click the atapi.sys file and choose copy, then open my computer, open the C drive and paste the file onto that drive so you end up with C:\atapi.sys. It must be just like that to work.

    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract+ avenger.exe from the Zip file and save it to your desktop

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now re-run GMER and attach the new log.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\Avenger.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, May 31, 2010
    #9
  10. esl537

    esl537 Private E-2

    hi again

    did the avenger thing- seemed to suggest that there were no rootkits found.

    also ran GMER again. i've attached it. i should note that running GMER caused my computer to crash, again, just like the first time i ran it (after i saved the log file). is this a clue, just like how combofix never works?

    also got the MGlogs and attached them.

    still have the redirect virus. let me know how to proceed.
    edward


     

    Attached Files:

    esl537, May 31, 2010
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Gmer is still reporting atapi.sys as being bad. Do this please:

    Go to C:\MGtools\mbrfix.bat and double click it. Let it run and then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\MGlogs.zip
     
    TimW, Jun 1, 2010
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    atapi.sys is most likely not the problem. I would first uninstall McAfee since we have been seeing become infected without even knowing it. Also since McAfee does a poor job cleaning up after itself, run the below: McAfee Consumer Product Removal Tool


    After uninstalling McAfee reboot, and then rerun GMER and attach a new log.


    Also now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\MGlogs.zip
    Also check to see if the redirections are still occurring.
     
    chaslang, Jun 1, 2010
    #12
  13. esl537

    esl537 Private E-2

    ok

    uninstalled mcafee
    ran gmer
    had to reboot as exiting gmer crashed the system, as previous
    ran mgtools

    logs attached. redirect virus still present.
    edward

     

    Attached Files:

    esl537, Jun 2, 2010
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay that's good and now the possible real problem is showing to be C:\WINDOWS\system32\DRIVERS\tcpip.sys

    Please now re-run TDSSkiller like TimW previously had you run and attach the new log.

    If still having a re-direct issue afterwards, do the below.


    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!

    If none of the above correct the problem, we will have to use a program named MaxLook to locate the problem driver or drivers. Do you have your Windows Boot CD?
     
    chaslang, Jun 2, 2010
    #14
  15. esl537

    esl537 Private E-2

    ok, made some progress.

    tdsskiller did not do anything.

    but, combofix did do something, unlike previous runs. this time combofix did not crash and instead came up with a message saying, "rootkit detected, need to reboot machine."

    so i let it reboot by itself. but when windows tried to load, it crashed saying that there was a problem. so i tried booting normally- no go. then i tried to boot into safe mode with networking- no go. as a last resort, i tried rebooting with last known good configuration.

    when windows loaded, the familiar blue window of combofix came up and started going through its stages. when it completes, i will attach logfiles.

    originally, i wrote this email to ask for help b/c i wasn't sure i was supposed to boot with last known good configuration. but i guess it was ok.

    more in a minute or so.
    edward
     
    Last edited by a moderator: Jun 2, 2010
    esl537, Jun 2, 2010
    #15
  16. esl537

    esl537 Private E-2

    from what i can tell, the virus is GONE!!!!

    attached are logs.

    thank you so much!

    but, i am far from done yet. so now my computer is in a weird state b/c many of its services no longer function properly. for example, the "themes" service doesn't work and the last i checked, the firewall service couldn't be started (in fact, windows complains that no firewall service is up and running, not even its own). i know there are steps to perform after the virus is gone:
    http://forums.majorgeeks.com/showthread.php?t=139313

    but are there other steps that i can run to get my computer into a more "normal" state?

    edward
     

    Attached Files:

    Last edited by a moderator: Jun 2, 2010
    esl537, Jun 2, 2010
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    Excellent!

    You will have to check this out in the software forum or just start it yourself. This is not related to this malware.

    This does not matter since you don't want the Windows firewall anyway because it is ineffective. Once you reinstall McAfee, you will have their firewall and the rest of the its protection.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Jun 2, 2010
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Hangon!!!!! I just noticed ComboFix deleted two files that we need to restore.



    Now we need to use ComboFix to dequaratine two files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.



    Then attach the below logs:
    • C:\ComboFix.txt
    Make sure you tell me how things are working now!
     
    chaslang, Jun 2, 2010
    #18
  19. esl537

    esl537 Private E-2

    hi,

    sorry i was gone for the last several days. i saw the last post before i left so i knew i had some work left to do.

    i ran the dequarantine with combofix. attached is the logfile. it seems that everything is fine. web searches are running fine. the issue right now is, i have to restore my computer back to the original state with themes, etc.

    edward

     

    Attached Files:

    esl537, Jun 6, 2010
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Great. Make sure you complete my final instructions and then you can work your remaining issues in the Software Forum.
     
    chaslang, Jun 6, 2010
    #20

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds