Search Engine Redirect Issue 3

[missymarie1014]

This is Windows XP Pro SP3 with Internet Explorer 7. I have a search engine redirect problem which has some very interesting characteristics. First, this problem occurs across all search providers, google, bing, live, etc. Second, it is not user specific. Regardless of the log in name the action occurs consistently. Third, the action is that after you do the search and receive the search results, when you click on the result you are redirected to a solicitation or information page that is somewhat related to the subject matter of your search results. If you click back and go back to the search results and choose the same result a second time, it comes up correctly. And this aspect of the problem where a second and any subsequent click of the result brings up the correct site is consistent across all the search engines. I have run thorough scans using Spyware Terminator, AdAware, MalWareBytes, and Avast. The malware, adware, and spyware scans caught various relatively minor things, but my system still has the issue. My hosts file is unchanged and there is no Internet Explorer Search Page key in the Registry. Additionally, I am evaluating the Non Plug and Play Devices area from the Device Manager to see if anything there might be amiss. Any help would be greatly appreciated.

 

[missymarie1014]

MalWareBytes log below. Now proceeding with SuperAntiSpyware.

Malwarebytes' Anti-Malware 1.44
Database version: 3787
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

3/3/2010 5:20:23 PM
mbam-log-2010-03-03 (17-20-23).txt

Scan type: Full Scan (C:\|)
Objects scanned: 327040
Time elapsed: 29 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[missymarie1014]

SuperAntiSpyware completed with 10 items found, all tracking cookies. Please advise on any remaining procedures. Thanks!

 

[pechenegs]

run dr web and post its log as well and post a hijack this log!

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars

 

[missymarie1014]

The Dr Web log is 83000K. How do I go about posting that?

 

[missymarie1014]

Here is the HikackThis log ....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:49:22 PM, on 3/4/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS\system32\winsys2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1258650454421

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} -

http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = heritage.local
O17 - HKLM\Software\..\Telephony: DomainName = heritage.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{4827466B-3510-4DE9-93E6-A47FF92C1C54}: NameServer = 192.168.0.150,192.168.0.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = heritage.local
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 4281 bytes

 

[pechenegs]

just post he part where it lists viruses that it found, if it didn't find any then your ok!?

Your log looks clean now, is your computer running better now?


Have you a firewall, you really need one if you haven't and windows doesn't block incoming threats!


Your version of Avast is out of date you should update to version five!

http://www.avast.com/free-antivirus-download

you should also get a free firewall, pctools is currently a good free one!

http://www.pctools.com/firewall/

You should now turn off system restore to flush out the bad restore points
and
then re-enable it and make a new clean restore point.


How to turn off system restore

http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam

http://support.microsoft.com/default.aspx?scid=kb;[LN];310405

Here's some free tools to keep you from getting infected in the future.


To stop reinfection get spywareblaster from

http://www.javacoolsoftware.com/downloads.html

get the hosts file from here.Unzip it to a folder!

http://www.mvps.org/winhelp2002/hosts.htm

put it into : or click the mvps bat and it should do it for you!


Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
Win 98\ME = C:\WINDOWS



ie-spyad.Puts over 5000 sites in your restricted zone so you'll be protected

when you visit innocent-looking sites that aren't actually innocent at all.

http://www.spywarewarrior.com/uiuc/resource.htm

Use either Arovax or spyware terminator, you could try both and see
what one you like!


Arovax shield.

http://www.arovaxshield.com/

Spyware Terminator

http://www.spywareterminator.com/dnl/landing.aspx

In spyware terminator, click real time protection and tick the box to use
real time protection and tick all the boxes except file exceptions shield.
If your confident in using its advanced feature, click advanced and tick
the HIPS box.

If you want to install and uninstall programs it is best to
temporarily disable Spyware terminator and then re-enable it after you
have installed or uninstalled a program as it will create a lot of pop ups
asking you do you wish this to happen!

Right click spyware terminator on the bottom right of your status bar and
choose exit.Then tick the box and that is spyware terminator disabled!




I would also suggest switching to Mozilla's firefox browser, it's safer, has
a built in pop up blocker, blocks cookies and adds. Mozilla Thunderbird is
also a good
e-mail client.

http://www.mozilla.org/

Another good and free browser is Opera!

http://www.opera.com/

Read here to see how to tighten your security:

http://forums.techguy.org/t208517.html

A good overall guide for firewalls, anti-virus, and anti-trojans as well as
regular spyware cleaners.

http://www.firewallguide.com/anti-trojan.htm

you can mark your own thread solved through thread tools at the top of
the page.





Member of ASAP Alliance of Security Analysis Professionals

under the name khazars

 

[missymarie1014]

Thanks for all your help! I learned a lot which I can take with me when situations arise again.

 

[DTracy]

Pechenegs,

Nice job, very thorough and patient, and a star.

Regards,
David.

 

[kjv1611]

Here here, lots of excellent info all in one thread!

 

[missymarie1014]

Last question, I was wanting to know if any or all of these tools, particularly Dr Web, SmitFraud, and Combo Fix, would have any issues being used in a Windows 7 environment? Thanks!

 

[sggaunt]

A quick word about Spyware Terminator

Most new W7 Laptops (in the UK anyway ) now seem to come with W7 64bit OS pre-installed.
This means that SWT wont run correctly (the real time shield wont run making it effectivly usless).
I dont know how far off of a 64bit compatable release they are, watch this space.


Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain

 

[pechenegs]

most of these tools should be ok, as win 7 can run many tools that xp use, however, you'll only know if you try and run them!

In vista, we had many problems as most tools and also including many anti viruses , ant spyware tools initially weren't compatible with Vista and wouldn't run, like combo, smitfraud etc!!

However, I have just within the last 3 weeks bought and installed win 7 and virtually all my software programs run ok in Win 7, the only one that didn't was Arovax which hasn't been developed or updated since about 2007-8 so it isn't compatible with anything after Xp or Vista?

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars