Search Engine Redirect Problem

Thank you in advance for your assistance.  I am having an issue similar to others that I have read on your site.  When I use Yahoo or Google to search the results look O.K. but when I click on them they send me to unusual locations.  I have gone through the steps as requested:

Step A:  Downloaded AVG Free Edition
Step 1:  Went to Add or Remove Programs and did not find anything unusual
Step 2:  Downloaded and ran CCleaner
Step 3:  Attempted to download and run SuperAntiSpyWare  When I downloaded this program the link shown in your instructions would not work for me.  My browser kept saying I did not have a connection.  I went directly to the Cnet site and downloaded the program; however, when I tried to run it I kept getting a send error report message and the program would not run.
Step 4:  Attempted to download and run Malwarebytes; however, had the same thing happen as above in Step 3.
Step 5:  Updated my Java and removed older versions
Step 6:  Downloaded and ran HijackThis.  Once again had to go to the Cnet site to download this program; however, in this instance I was able to get it to run.  The log file for it is posted below.

Once again thank you for your help in getting my machine back up and running.
Step 4: 

[Saving space - attachment deleted by admin]

[Mod & Malware Specialist]

Hm, the log isn't really helping too much.  Have you tried renaming the SUPERAntiSpyware and Malwarebytes files?  If not, do that and then try installing.  Any luck?  If not, reboot into Safe Mode and then try installing Malwarebytes.  Post back with your results.  If you can manage to get any logs, please post them.

Chris,
Thanks for the ideas.  I tried renaming the files on both the SuperAntiSpyware and MBytes.  I just renamed the main executables by right clicking on them and renaming them; however, they still did not run.  When I double click on them the hourglass shows for about 10 seconds and nothing else happens.  I then uninstalled them and rebooted in safe mode with networking.  I then downloaded MalwareBytes in safe mode.  Tried to run it and had the same results (just an hourglass with nothing else happening).  Any other ideas???
Thanks

[Mod & Malware Specialist]

Unfortunately, this particular infection is quite tricky.  We've been seeing a LOT of it lately and it always gives us trouble.  I just removed it from my father-in-law's computer last night...it was the worst case I have seen so far.

Try downloading ComboFix from one of the links on this page:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

You may need to use another computer and transfer via CD or flashdrive.  Once it's on your computer, rename it and run it in Safe Mode.  If it works (let's cross our fingers), post back with the log.  With any luck, it should also weaken the infection.

Finally got the combfix to install and run.  I did have to download it to another machine and transfer it using a thumb drive.  Attached you will find the log file from combofix.  Maybe we are getting closer.  Thanks for your help.

[Saving space - attachment deleted by admin]

[Mod & Malware Specialist]

We just received some new information today about this infection that may make it easier to combat.  If you are still having trouble with connecting to sites and running anti-virus programs, then try these steps...

Click Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.

• Scroll down to "Non-plug and Play Drivers" and click the plus icon to open those drivers.
  
• Then search for TDSSserv.sys
  
• Let me know if you find this or not.
• If you do find it, right click on it, and select "Disable". Do not try to uninstall it.
• Also if this is found and you disable it, then reboot and see if you can run the other scans that would not run.

.
This may or may not work.  Once you have tried, follow this other set of instructions...

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

File::
d:\documents and settings\All Users\Application Data\KGyGaAvL.sys
d:\documents and settings\All Users\Application Data\A44F6EF0C4.sys

Registry::
[-HKEY_LOCAL_MACHINE\system\ControlSet003\Services\TDSSserv.sys]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze


And another set of instructions I would like you to follow...
Please print these instructions as they will be needed later when Internet access is not available.
 
Download SDFix by AndyManchesta and save it to your desktop. http://rapidshare.com/files/151585130/SDFix.exe.html

When using this tool, you must use the Administrator's account or an account with Administrative rights

• Double click SDFix.exe and it will extract the files to %systemdrive%
  
• (this is the drive that contains the Windows Directory, typically C:\SDFix).
  
• DO NOT use it just yet.

.Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
 
Open the SDFix folder and double click RunThis.bat to start the script.

• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
  
• When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  
• Copy and paste the contents of the results file Report.txt in your next reply.

In addition to the ComboFix and SDFix logs, I would like you to now try getting logs for SUPERAntiSpyware, Malwarebytes' Anti-Malware, and HijackThis.  I know it sounds like a lot, but do what you can.  With these programs, your infection doesn't stand a chance.

Chris,
I looked for TDSSserve.sys and did not find it.  Also, I checked out my searches and I am no longer having the redirect issue.  Do you still want me to follow the rest of the steps you described in your previous reply?  Thanks.

[Mod & Malware Specialist]

You don't have to do it, bu just to be on the safe side, I think it would be a good idea to follow the steps anyway.  Although your symptoms are gone, some traces of the file could still be around.  At the very least, delete the files with ComboFix and run SDFix.

My machine seems to be working much better now.  I did go ahead and do the following:

1.  Performed the CFScript/Combofix steps (combofix log is attached)
2.  Followed the SDfix instructions (log is attached)
3.  Downloaded and ran SuperAntiSpyware (log is attached)
4.  Ran Malwarebytes' Anti-Malware (log is attached)
5.  Ran HijackThis (log pasted below)

-------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:41:36 PM, on 12/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\WINDOWS\system32\HPZipm12.exe
d:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\AVG\AVG8\avgrsx.exe
D:\WINDOWS\System32\hkcmd.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\PROGRA~1\AVG\AVG8\avgemc.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\PROGRA~1\AVG\AVG8\avgtray.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
D:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - D:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - D:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MP10_EnsureFileVer] D:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Extract Flash Video with Bytescout... - D:\Program Files\Bytescout Movies Extractor Scout\flashextract_ie.html
O9 - Extra button: (no name) - {88B25652-E4A9-4B04-83CB-4EBB3419B266} - D:\Program Files\Bytescout Movies Extractor Scout\flashextract_ie.html
O9 - Extra 'Tools' menuitem: Extract Flash Video with Bytescout... - {88B25652-E4A9-4B04-83CB-4EBB3419B266} - D:\Program Files\Bytescout Movies Extractor Scout\flashextract_ie.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Extract Flash Video with Bytescout... - {FCE47A39-284A-4A56-AD9E-A5245386302A} - D:\Program Files\Bytescout Movies Extractor Scout\flashextract_ie.html
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - d:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

--
End of file - 7028 bytes

--------------------------------------------------------------------------------------------------

Once again, thank you for your assistance.  Please let me know if you have any other suggestions for me.

I do have one other question:  I read in the news today that there is a vunerability in Microsoft Internet Explorer that is being exploited.  Suggestions were to not utilize MS Internet Explorer until a patch is developed.  A couple other web browsers were suggested.  I was considering installing FireFox and using it.  Do you have any thoughts on this subject.  Thanks for your input.


[attachment deleted by admin]

[Mod & Malware Specialist]

Your computer is looking much better now!  The scans came up mostly empty, but SDFix did find a couple of registry entries we need to get rid of.  Copy all of the text in the code box below...

Code: [Select]

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules]

Paste the text into a Notepad file and go to File > Save As.  In the Save As Type section, select All Files and then save the file as tds.reg on the desktop.  Double-click the new file to run it and when prompted, select Yes.  You can delete the file now.  You can also uninstall SDFix.

Once again, thank you for your assistance.  Please let me know if you have any other suggestions for me.

I do have one other question:  I read in the news today that there is a vunerability in Microsoft Internet Explorer that is being exploited.  Suggestions were to not utilize MS Internet Explorer until a patch is developed.  A couple other web browsers were suggested.  I was considering installing FireFox and using it.  Do you have any thoughts on this subject.  Thanks for your input.

Honestly, I don't know all of the details, but you may want to read this post:
http://www.computerhope.com/forum/index.php/topic,72357.0/topicseen.html
To be on the safe side, you may want to consider using Firefox temporarily, although I personally am not super concerned.

One thing that will help is getting a decent firewall.  You're vulnerable without a firewall, so you should look into getting either ZoneAlarm, Kerio Personal Firewall, or Comodo.  They're all good free firewalls.  Just be sure you only have one installed at a time!  Download the firewall of your choice, disconnect from the internet, disable Windows Firewall, and install your new firewall.


And since you no longer need ComboFix, go ahead and uninstall it.  Go to Start > Run and type combofix /u (note the space between combofix and /u) and click OK.

If that doesn't work, then download OTCleanIt.exe and save it to your Desktop.

• Double-click OTCleanIt.exe.
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes, if not delete it yourself.

Also...you'll want to clean out your System Restore.  This is to remove any infected files that have been backed up by Windows.  Please follow these steps...

1.  Go to Start > Programs > Accessories > System Tools > System Restore
2.  Click on System Restore Settings.
3.  Check Turn off System Restore and click OK.
4.  Restart your computer.
5.  Follow steps 1 and 2 to return to the settings, uncheck Turn off System Restore, and click OK.
6.  Create a new restore point and close the program.

System Restore will now be active again.  If you would like to learn more about System Restore, go here.


I'm sorry to give you even more work, but after this, you'll be free to go!