Redirect problem

A few days ago I started being redirected to asearchclub.com, I've run several anti virus but nothing seems to work. Followed the instructions on malware removal (hopefully correctly!!) but still have the same problem. I must admit I'm not the most gifted person when dealing with problems like this and would really appreciate some help. Thanks

Attached are logs except the MGTools - message saying it couldn't be created.

 

Hi and welcome to MajorGeeks, jennyhj

Can you go into more detail on what happened during the MGtools scan?

If C:\MGlogs.zip is not present, please try running the following batch file by right-mouse clicking it and then selecting "Run as Administrator" : C:\MGtools\ReZip.bat

__

If there is still an issue getting a MGlogs.zip or MGlogsR.zip, then proceed with the following:

Download and run: OTL
Press the "Run Scan" button and then attach the following logs which should be in the same directory that the tool was run from:

• OTL.txt
• Extras.txt

 

Thanks for replying. Ran MGTools again, got log this time. Also ran OTL as you suggested and attached those too.

 

http://img850.imageshack.us/img850/4746/programsandfeatureswin7.gif From Programs and Features (via Control Panel), please uninstall the below:

• Big Fish Games: Game Manager
• Free RAR Extract Frog
• IObit Apps Toolbar v7.0
• Java 7 Update 17
• Java(TM) 6 Update 37

__

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
IE - HKLM\..\SearchScopes\{46197f3d-30e7-4905-a14b-02bee3aaeb58}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^ZR^xpt139^YY^gb&ptb=33A40B4B-537D-414A-863A-38513769E482&ind=2013041203&n=77fc9233&psa=&st=sb&searchfor={searchTerms}
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3072253
IE - HKCU\..\URLSearchHook:  - No CLSID value found
IE - HKCU\..\URLSearchHook: {3bbd3c14-4c16-4989-8366-95bc9179779d} - No CLSID value found
FF - prefs.js..browser.startup.homepage: "http://www.delta-search.com/?affID=119523&babsrc=HP_ss&mntrId=763796c100000000000088252c6f6a91"
[2012/03/08 18:09:56 | 000,000,000 | ---D | M] (uTorrentControl2 Community Toolbar) -- C:\Users\Jenny\AppData\Roaming\Mozilla\Firefox\extensions\{687578b9-7132-4a7a-80e4-30ee31099e03}
CHR - Extension: Bcool = C:\Users\Jenny\AppData\Local\Google\Chrome\User Data\Default\Extensions\kckoimjofdmgkkhmanlbmpdahibgkppl\1.0_0\
O2:64bit: - BHO: (no name) - {386f13ce-17c9-4ba7-aa39-660a28aa834a} - No CLSID value found.
O2 - BHO: (no name) - {386f13ce-17c9-4ba7-aa39-660a28aa834a} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {3BBD3C14-4C16-4989-8366-95BC9179779D} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {687578B9-7132-4A7A-80E4-30EE31099E03} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {858E1331-E1CC-4C88-A777-1B2EAD236207} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EE7A09DE-6AB5-4DD5-B50A-D6985F9824F2} - No CLSID value found.
@Alternate Data Stream - 96 bytes -> C:\ProgramData\TEMP:1DEE6B65
@Alternate Data Stream - 378 bytes -> C:\ProgramData\TEMP:548D1E28
@Alternate Data Stream - 152 bytes -> C:\ProgramData\TEMP:B86642C5
@Alternate Data Stream - 149 bytes -> C:\ProgramData\TEMP:C5D15631
@Alternate Data Stream - 149 bytes -> C:\ProgramData\TEMP:254AD2ED
@Alternate Data Stream - 146 bytes -> C:\ProgramData\TEMP:67A91473
@Alternate Data Stream - 138 bytes -> C:\ProgramData\TEMP:0474F714
@Alternate Data Stream - 135 bytes -> C:\ProgramData\TEMP:C0D23A2F
@Alternate Data Stream - 134 bytes -> C:\ProgramData\TEMP:2CB9631F
@Alternate Data Stream - 132 bytes -> C:\ProgramData\TEMP:D3331ADB
@Alternate Data Stream - 132 bytes -> C:\ProgramData\TEMP:7D938C9B
@Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:2043337E
@Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:1CD511E5
@Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:5539129F
@Alternate Data Stream - 119 bytes -> C:\ProgramData\TEMP:4C71A42B
@Alternate Data Stream - 100 bytes -> C:\ProgramData\TEMP:5C321E34
[COLOR="DarkRed"]:files[/COLOR]
dir "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\JetClean" /c
dir C:\Windows\SysWow64\3054 /c
dir C:\Windows\SysWow64\3053 /c
C:\Program Files (x86)\IObit Apps Toolbar
C:\Users\Jenny\AppData\LocalLow\Delta
[COLOR="DarkRed"]:reg[/COLOR]
[-HKLM\SOFTWARE\Classes\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}]
[-HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}]
[-HKLM\SOFTWARE\Wow6432Node\DataMngr]
[-HKU\S-1-5-21-525370765-1179894821-1266436076-1000\Software\DataMngr]
[-HKU\S-1-5-21-525370765-1179894821-1266436076-1000\Software\DataMngr_Toolbar]
[-HKU\S-1-5-21-525370765-1179894821-1266436076-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{4D2D3B0F-69BE-477A-90F5-FDDB05357975}]
[-HKU\S-1-5-21-525370765-1179894821-1266436076-1000\Software\Microsoft\Windows\CurrentVersion\Ext\bProtectSettings]
[COLOR="DarkRed"]:commands[/COLOR]
[emptytemp]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

__

http://imageshack.us/a/img841/7292/thisisujrt.gif Please download Junkware Removal Tool to your desktop.

• Please save the work in your browsers before proceeding.
• Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
• Double-click JRT.exe to run (Vista/7 right-click and select Run as Administrator)
• Press any to key to begin scanning.
• Please be patient as this can take a while to complete.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Please attach JRT.txt to your next message. (How to attach)

Attach the requested logs above and then let me know if the problem still persists. And if they do persist, let me know which browsers are being affected.

 

Still have the problem in IE

 

Ok, please scan with the following next: DDS

Attach the logs from the tool when finished.

 

As requested

 

Hi,

This log doesn't show its trace either. Two things I'd like to you try:

First,

I want you to find the Internet Explorer icon that you are using to open Internet Explorer. When you find it, right-mouse click on it and select Properties.

In the Properties window that appears, go to the Shortcut tab and view the contents of the Target: text-field. Is there anything at the end of it?

Mine shows something like this: "C:\Program Files (x86)\Internet Explorer\iexplore.exe"

Does your have something added to the end of it? Such as an URL? If so, remove the URL portion of it.

__

Next (if the above wasn't an issue), try this:

http://img707.imageshack.us/img707/6703/generalxpicon.gif Download SystemLook from one of the links below and save it to your desktop.
Download Mirror #1
Download Mirror #2

If you have a 64-bit system, please download the 64 bit version from here:
SystemLook (64-bit)

• Double-click SystemLook.exe to run it.
• Copy and Paste the content of the following code box into the main text-field:

Code:

[COLOR="DarkRed"]:regfind[/COLOR]
*searchclub*

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan and a file entitled SystemLook.txt will be created on your desktop.
• Attach that file to your next message. (How to attach)

 

There's nothing at the end of the .exe file.

 

And it's not in the registry all either unless it has a different name than what you provided.

Can you take a screenshot of your hijacked Internet Explorer browser so I can hopefully get a better understanding where it may be residing?

http://www.take-a-screenshot.org/

 

This problem seems to be very random, it doesn't always happen when I search and when it does I get redirected to all sorts of sites - special offers, porn and casino sites usually. It always starts with a white screen with "redirecting" in top left hand corner and connects to asearchclub.com which then goes to the random site. If I quickly click on 'back' before the asearchclub tab disappears and return to the search results and try again after 2 or 3 attempts it will usually go to the actual page selected.

 

Thank you for the screenshot.

I'd like to see what the following scans reveal:


Please download MiniRegTool64.zip and unzip it.

• Run the tool.
• Copy and paste the following in the edit box:
  
  
• Check the Search Registry radio button.
• Put a check-mark next to HKRC box.
• Press Go button. Please attach it to your reply.

__

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Scans done

 

Can you verify that this problem only occurs in Internet Explorer, and not Mozilla FireFox and/or Google Chrome?

__

The previous logs didn't show any trace of the infection. I'd like to see what this program shows:

ComboFix - How to Use ComboFix

Run this program for me, and attach the log that is given once the program completes. It can be retrieved from C:\ComboFix.txt.

 

Please delete the above files. Let me know if you were successful or not.

 

It seems it only happens in IE, ran searches in Firefox and Chrome several times and no problem. Deleted the files and still have same problem in IE.

 

You're right, this is not the type of redirect we typically see. In fact, I think this one may be fairly new. I think I see where it was residing now. Sorry for the delay, hopefully this fixes the issue. Let me know either way.

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

:processes
killallprocesses
:otl
O2 - BHO: (Groove GFS Browser Helper) - {390C7E87-153C-12DB-2EA6-0BB301EB26E9} - C:\Windows\SysWOW64\D3DX9_411.dll ()
:files
c:\windows\system32\IEUDINIT.EXE
c:\windows\SysWow64\p5PSSavr.scr
c:\windows\SysWOW64\D3DX9_411.dll
C:\Users\Jenny\Downloads\Codec_Pack*.exe /d
C:\Users\Jenny\Downloads\theme.crx
C:\Users\Jenny\Downloads\iLividSetup.exe
C:\Users\Jenny\Downloads\xvidly*.exe /d
C:\Users\Jenny\Downloads\Player_V*.exe /d
dir C:\Users\Jenny\AppData\Roaming\bibstats /c
C:\Windows\SysWOW64\AbaleeeeeZip.dll
C:\Windows\SysWOW64\DevicePairiing.dll
C:\Windows\tasks\At1.job
:commands
[resethosts]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

 

Well it seems to have done the trick . Many, many thanks you're my hero!!!!

 

You're welcome

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
3. Go back to step 4 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
5. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
8. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 6 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!