Amazing Search Engine Redirect Issue

[missymarie1014]

This is Windows XP Pro SP3 with Internet Explorer 7. I have a search engine redirect problem which has some very interesting characteristics. First, this problem occurs across all search providers, google, bing, live, etc. Second, it is not user specific. Regardless of the log in name the action occurs consistently. Third, the action is that after you do the search and receive the search results, when you click on the result you are redirected to a solicitation or information page that is somewhat related to the subject matter of your search results. If you click back and go back to the search results and choose the same result a second time, it comes up correctly. And this aspect of the problem where a second and any subsequent click of the result brings up the correct site is consistent across all the search engines. I have run thorough scans using Spyware Terminator, AdAware, MalWareBytes, and Avast. The malware, adware, and spyware scans caught various relatively minor things, but my system still has the issue. My hosts file is unchanged and there is no Internet Explorer Search Page key in the Registry. Additionally, I am evaluating the Non Plug and Play Devices area from the Device Manager to see if anything there might be amiss. Any help would be greatly appreciated.

 

[missymarie1014]

As a followup to this post, I have evaluated the items in the Non Plug and Play Device list between this machine and a similar one and the following items are in the affected machine but not in the other machine.

GMSIPCI
MSICPL
Nal Service
NTACCESS
Serial
SetupNTGLM7X

Thanks!

 

[guitarzan]

Sounds like a rootkit. Try a rootkit detector, such as GMER:

http://www.gmer.net/.

This topic has been covered in numerous threads in forum760, you might want to search or post a new thread there.

 

[G0AOZ]

I'd also run a HijackThis scan - it sounds like some sort of browser hijacker...

ROGER - G0AOZ.

 

[linney]

It sounds like that you may have picked up something called "Overclick.cn "?


Note to all - Overclick.cn is out there

http://www.tek-tips.com/viewthread.cfm?qid=1558075

Internet Explorer problem opening links after searching using google

http://www.tek-tips.com/viewthread.cfm?qid=1557946

Help with browser hijacker

http://www.tek-tips.com/viewthread.cfm?qid=1567508

Firefox Home Page effectively hijacked by Yahoo Search

http://www.tek-tips.com/viewthread.cfm?qid=1573574

 

[guitarzan]

I had a machine a few months ago that fit the OP's description almost exactly (browser redirection, affecting multiple search engines, malware and av scans came up clean). Additionally, Hijackthis came up clean. I had a recent Acronis image on-hand; This saved me a lot of time, but it prevented me from learning what the real issue was

Hadn't heard of overclick.cn before... Linney, that first link you posted (Note to all - Overclick.cn is out there) is to a Private Group. Any info in there that you can share here?

 

[Turkbear]

Hi,
I posted that original note in the private group, it discusses using Combofix to rid yourself of that pesky infection:

Hi,
I am running WindowsXP SP3 all updates,TrendMicro Internet Security ( updated automatically) , SpyBot S&D, SpywareBlaster ( all updated weekly), yet I still got infected with the nasty rootkit overclick.cn - So, if you notice odd search results in Google,Yahoo or other search sites, be aware that this nasty fellow is missed by most Anti Malware Anti Virus programs...

I needed to run one called ComboFix from bleeping computer's downloads to find and fix it...

Just a heads up to this community and will those who know advise the correct forums here about this..

Thanks

Try these instructions( worked for me)

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To Paraphrase:"The Help you get is proportional to the Help you give.."

 

[linney]

Sorry about that link it is a private forum, but Googling for the Overclick.cn will bring up lots of information I expect, that's if "Turkbear's" link doesn't solve it, the other links also mention ComboFix.

 

[goombawaho]

Use Combofix at your own risk - Bleeping Computer says as much. Something like "don't run without our supervision and direction". It CAN screw up your machine, but if you allow it to install the recovery console (as it prompts you to do), you shouldn't be dead in the water.

I agree it's a good tool, but it's sort of like your dog when it gets out of the yard - it can do whatever it wants and you don't really know what it's doing. You have to have faith that's it's doing the right things. Woof.

I usually run it after trying the other things in my bag of tricks and there is a stubborn rootkit, malware keeps coming back or search redirect won't go away.

 

[Sympology]

A wild card. Try changing your DNS settings to OpenDNS, see if that makes a difference

208.67.222.222
208.67.220.220

Robert Wilensky:
We've all heard that a million monkeys banging on a million typewriters will eventually reproduce the entire works of Shakespeare. Now, thanks to the Internet, we know this is not true.

 

[kjv1611]

The current kings of antimalware/antispyware in general:
Malwarebytes AntiMalware
SuperAntiSpyware
Combo Fix - as goomb poonited out though, it can be dangerous, so be careful.

Best Software Firewalls:
Comodo Internet Security
Tall Emu Online Armor (currently 32 bit only)

Best AV programs:
Avira Antivir
Eset Nod32
Maybe Microsoft Security Essentials - at least one user here has mentioned running it alongside a standard AV.

Those are my opinions, currently, based on threads here, various review sites, and my own personal experience. SpywareBlaster makes sure various system settings are secure. Spybot Search and Destroy is still okay for some things, but it's nothing compared to Malwarebytes and Super.... Ad-Aware is practically useless nowadays compared to the others.

And of course, there are other tools as well...

Regardless of what new stuff comes out, these should keep most folks covered... especially if you have a hardware firewall (router) in front of your computer. If you've got more than one computer, and on the Internet, you likely have a router already... if you use wireless, you've got a router. ;0)

--

"If to err is human, then I must be some kind of human!" -Me

 

[goombawaho]

Those are good suggestions, however, circumstances often determine that you need use different tools which is beyond the scope of these posts.

What that means is: if the malware zigs, you have to zag. Which doesn't mean anything specific, but that's the point. You have to see it, feel it and understand what's it trying to do and if it's trying to come back.

The days of simply running a particular tool to remove infections is going away. More and more malware will come back and even hide for a while before coming back. It's more of an art than a science at times.

 

[kjv1611]

Well, there is always one math that always works, regardless:
0



You wipe the drive with 0s or some other base-level formatting technique, and 0 chance of survival.

--

"If to err is human, then I must be some kind of human!" -Me

 

[goombawaho]

Yes - always quite effective and underrated as a method of fixing your windows installation. Also helps rid yourself of all that pesky data that you FORGOT to back up, but that's another issue.

 

[missymarie1014]

Thanks for all your informative posts and suggestions. As suggested by guitarzan, I posted in the Virus/Spyware forum and am in the process of running through a set of procedures supervised by pechenegs. I have run ATF Cleaner and Combo Fix and am awaiting further instructions. As noted in your comments about Combo Fix, although my machine appears to boot properly under normal mode, it will not safe boot successfully (machine just recycles once it starts to load drivers). I'm not that concerned as I have a restore point and recovery console installed. I'm just waiting now on further instructions. Thanks again for all the posts! I learned a lot.

 

[goombawaho]

That's a good course of action - let them talk you through removal. Usually, not booting into safe mode is due to some driver that isn't loading properly. It might have nothing to do with the malware.

 

[linney]

WinXP Pro won't boot into safe mode
thread779-1020730

Windows XP Home won't reboot into safe mode.
thread779-1110534

Blue Screen 0x0000007E ONLY in Safe Mode
thread779-1581486

Try running ChkDsk to check your drive for errors. Right-click your Drive icon/ Properties/ Tools/ Error Checking. Select both boxes.

Run the System File Checker program from the Run Box by typing.....Sfc /Scannow in it and have your XP CD handy.


If they don't work you could try repairing windows by running it over itself. You will lose all your windows updates but your files will be untouched.

How to Perform an In-Place Upgrade (Reinstallation) of Windows XP (Q315341)

http://support.microsoft.com/kb/315341/en-us

 

[kjv1611]

and am in the process of running through a set of procedures supervised by pechenegs.

In that case, you're DEFINITELY in good hands! I'd say he's the king of dealing with malware, viruses, etc. He's just not been around tek-tips as much for a while. Hopefully he'll be able to be more active here once again. It used to be when he was active her, everyone else pretty much just had to sit, watch, and learn.

For anyone interested in following, here's the OP's new post in the virus removal forum:
thread760-1592987

--

"If to err is human, then I must be some kind of human!" -Me