search engines hijacked

[evilfantasy]

Please download ATF Cleaner by Atribune. ATF Cleaner.exe This program does not require an installation. The executable actually runs the program.

NOTE: ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.
* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.

If you use Firefox browser
* Click Firefox at the top and choose: Select All
* Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
* Click Opera at the top and choose: Select All
* Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

==========

Next:

1. Please download Combofix by sUBs. Place it on your Desktop. combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply.
Combofix will create a backup to anything removed in C:\qoovox

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

==========

Next post please add:
Combofix log

[kletus23]

I found similar files in those two locations, but the names don't match exactly.  Here's what I found:

ConfigOCXDos32.exe-up.txt

_wrar370.exe

Thanks for the info on System Restore.  I'm guessing I need to go back and do that with another clean?

I tried attaching the host files you asked for, but it says I'm not allowed to attach that type of file.  Any ideas?


I ran the two programs requested.  Here's the combofix log:

ComboFix 07-11-02.3 - Sadler 2007-11-02 11:35:38.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.201 [GMT -6:00]
Running from: C:\Documents and Settings\Power User\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\kdick.exe

.
(((((((((((((((((((((((((   Files Created from 2007-10-02 to 2007-11-02  )))))))))))))))))))))))))))))))
.

2007-11-02 11:33   51,200   --a------   C:\WINDOWS\NirCmd.exe
2007-11-01 13:35   <DIR>   d--------   C:\Program Files\SUPERAntiSpyware
2007-11-01 13:35   <DIR>   d--------   C:\Documents and Settings\Power User\Application Data\SUPERAntiSpyware.com
2007-11-01 13:35   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-01 13:33   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2007-10-31 10:35   512,096   --a------   C:\WINDOWS\system32\drivers\amon.sys
2007-10-31 10:35   298,104   --a------   C:\WINDOWS\system32\imon.dll
2007-10-31 10:35   15,424   --a------   C:\WINDOWS\system32\drivers\nod32drv.sys
2007-10-26 16:17   584,192   -----c---   C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-17 16:37   <DIR>   d--------   C:\Downloads
2007-10-17 10:37   <DIR>   d--------   C:\Program Files\Windows Media Connect 2
2007-10-17 10:32   <DIR>   d--------   C:\WINDOWS\system32\LogFiles
2007-10-17 10:32   <DIR>   d--------   C:\WINDOWS\system32\drivers\UMDF

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-26 21:01   ---------   d-----w   C:\Documents and Settings\Power User\Application Data\U3
2007-10-25 15:32   ---------   d-----w   C:\Documents and Settings\Power User\Application Data\AdobeUM
2007-10-17 22:47   359,808   ----a-w   C:\WINDOWS\system32\drivers\tcpip.sys
2007-10-16 19:47   ---------   d---a-w   C:\Documents and Settings\All Users\Application Data\TEMP
2007-09-17 23:20   ---------   d-----w   C:\Documents and Settings\Power User\Application Data\.ABC
2007-09-17 22:29   ---------   d-----w   C:\Program Files\LogMeIn
2007-09-17 21:05   ---------   d-----w   C:\Program Files\K-Lite Codec Pack
2007-09-13 22:01   ---------   d-----w   C:\Program Files\ABC
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 14:03]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 14:25]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 14:45]
"ControlCenter2.0"="C:\Program Files\SP\ControlCenter2\brctrcen.exe" [2006-09-07 17:45]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-10-31 10:30]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-05-25 15:22 63040 C:\WINDOWS\system32\LMIinit.dll

R0 hotcore3;hotcore3;C:\WINDOWS\system32\drivers\hotcore3.sys
R1 Uim_IM;UIM Drive Backup Image Plugin;C:\WINDOWS\system32\Drivers\Uim_IM.sys
R1 UimBus;Universal Image Mounter Controller;C:\WINDOWS\system32\DRIVERS\UimBus.sys
R2 LMIInfo;LogMeIn Kernel Information Provider;\??\C:\Program Files\LogMeIn\x86\RaInfo.sys
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
R2 Nhksrv;Netropa NHK Server;C:\WINDOWS\Nhksrv.exe
R3 BrScnUsb;SP USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys
R3 BrSerIf;SP MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys
R3 BrUsbSer;SP MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys
R3 lmimirr;lmimirr;C:\WINDOWS\system32\DRIVERS\lmimirr.sys
R3 Msikbd2k;DellTouch;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys
S3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys
S3 BioNT_BS;BioNT_BS;\??\C:\Program Files\Paragon Software\Drive Backup\BlueScrn\BioNT_bs.sys
S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys
S3 brparimg;Brother Multi Function Parallel Image driver;C:\WINDOWS\system32\DRIVERS\BrParImg.sys
S3 BrParWdm;Brother WDM Parallel Driver;C:\WINDOWS\system32\Drivers\BrParwdm.sys
S3 BrSerWdm;SP WDM Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys
S3 NAL;Nal Service ;\??\C:\WINDOWS\system32\Drivers\iqvw32.sys
S3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\RTL8150.SYS

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9bb588fe-c0fc-11db-a8eb-000874382a49}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-02 11:41:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-02 11:43:53 - machine was rebooted
.
   --- E O F ---

[kletus23]

I finally got around to installing the Comodo firewall that you recommended.  Once that was running it found some problems with "svchost.exe" and I denied the access for that program.  That seems to have fixed the problem, and I can now search freely.

Thanks again for all of your help figuring this out.  Is there any more info you'd like me to post?

[evilfantasy]

Combofix did find "something" that I am not sure of and can find no information on.

To be on the safe side lets try this:

Run the BitDefender Online Scanner.

Agree to the license and then select Scan. DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED. That will make your logs huge and we don't need to see clean files.

Once Bitdefender completes the scan:
Click-on the Detected Problems tab.
Then select Click here to export the scan report.

When the window comes up to save the report, change the Save as type: box to:
Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click Save.

This will save a file named bdscan.txt. I would suggest saving it to the Desktop so you can easily find it. (take notice of where you save it so you can find it later).
This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.

If you do not follow these step, you will have an incorrect log or worse a log summary which is useless to us.

Post the bdscan.txt file as an Attachment.
Thanks To Chaslang For The Bitdefender Guide!

[Broni]

ConfigOCXDos32.exe-up.txt
_wrar370.exe

It may be helpful to know where exactly they are located.

I tried attaching the host files you asked for, but it says I'm not allowed to attach that type of file.  Any ideas?

You can try two things.
If you opened "hosts" file in Notepad, make sure, you save it as "hosts.txt" format in order to upload it here.
However, if it doesn't work, file itself may be too big.
In that case, simply email that file to me.

Once that was running it found some problems with "svchost.exe" and I denied the access for that program.

svchost.exe can be either legit Windows file, or a malware. It all depends in what location it resides. Legit Windows file will be found in Windows\System32 folder.
Simply search your computer for svchost.exe, and post back all of its locations.

That seems to have fixed the problem, and I can now search freely.

This may indicate, that Comodo blocked rather malware file, then legit one. But, as I said, post those file locations.

I'm really glad, your searches are doing OK.

P. S.
If confirmed, it may be just a classic example why built-in Windows firewall is no good. When you have a trojan, it leaves an open door on your computer, through which all your sensitive data is transmitted to the outside world. I did some test with Windows firewall myself, and in 90% cases it won't prevent the above transmission.

[kletus23]

Locations for svchost.exe:

C:\WINDOWS\system32
C:\WINDOWS\ServicePackFiles\i386

The two files you asked for earlier were located in the same place you told me to look (from the SuperAntispyware log).  I went looking for the files again, but only found "C:\WINDOWS\ConfigOCXDos32.exe-up.txt" (the log listed "C:\WINDOWS\ConfigOCXDos32.exe").

I also found a shortcut to this file at:
C:\Documents and Settings\Power User\Recent

As well as another text file (same name) with IE logo for icon in: My Computer

The other file "C:\DOCUMENTS AND SETTINGS\POWER USER\LOCAL SETTINGS\TEMP\RARSFX0\_WINRAR.EXE" no longer exists (I'm guessing BitDefender deleted it?)

The host files and BitDefender Scans are attached.

Many thanks again for walking me through all this.

[getting disk space - attachment deleted by admin]

[evilfantasy]

The only things that showed up were already quarantined or in the System Restore points.

C:\Program Files\ESET\infected\WHSLXDCA.NQF=>(Quarantine-PE) Deleted
C:\System Volume Information\_restore{1F9B0520-97DA-4948-9816-CA2C407F8E16}\RP142\A0015525.exe Deleted

Empty the ESET quarantine. (if anything is still there)

Toggle System Restore to remove infected restore points.

System Restore
1: Right click on the My Computer icon on your desktop and select properties.
2: Click on the system restore tab.
3: Check the box that says "Turn off system restore on all drives". Click OK.
4: Click Yes when you are prompted to restart the computer
5: To re-enable System Restore, follow steps 1-3, but in step 3, click to clear the Disable System Restore check box.

Are there any problems you are still having?

[kletus23]

I switched System Restore off, restarted, and then switched it back on.  Is that all I need to do? 

I looked for the file in the ESET quarantine.  I didn't find the one you listed, but was able to find these:

C:\Program Files\ESET\infected\WHSLXDCA.NQI
C:\Program Files\ESET\infected\MUAUFGAA.NQI
C:\Program Files\ESET\infected\MUAUFGAA.NQF

Should I delete all of these files?

My searches are all working again.  My system seems to be pretty slow now though.  Could that be due to the new firewall that's running constantly? 

I've also been having issues with my BitTorrent client (ABC) freezing once or twice a day.  It looks like it's downloading, but the amount of the file never increases.  I was going to check with the client's manufacturer and see what they thought.

Thanks again for all your time and help with this.  Let me know if there's anything else I should do.

[evilfantasy]

I looked for the file in the ESET quarantine.  I didn't find the one you listed, but was able to find these:

C:\Program Files\ESET\infected\WHSLXDCA.NQI
C:\Program Files\ESET\infected\MUAUFGAA.NQI
C:\Program Files\ESET\infected\MUAUFGAA.NQF

Should I delete all of these files?

They certainly aren't doing any good to keep. I would empty the quarantine.

My searches are all working again.  My system seems to be pretty slow now though.  Could that be due to the new firewall that's running constantly?

What firewall do you use? Firewalls are not my strong point......

I've also been having issues with my BitTorrent client (ABC) freezing once or twice a day.  It looks like it's downloading, but the amount of the file never increases.  I was going to check with the client's manufacturer and see what they thought.

Don't use em. This is most likely the source of the malware problems to begin with. Just because the torrent client is clean, does not mean what you download with it is!

Thanks again for all your time and help with this.  Let me know if there's anything else I should do.

No problem on the help. You may want to do some system maintenance. Disk cleanup and defrag would likely speed things up.

[kletus23]

I'm using the Comodo firewall that was suggested earlier.  It seems to be doing a great job of keeping me protected.

I know exactly what I downloaded with BitTorrent that was the cause of my problems.  I should have known better to begin with. 

I'll run the disk cleanup and defrag my C: drive now. 

Thanks again for all your help.  I could not have done this without you, and really feel like my system is much better protected now.

[evilfantasy]

I'm just running the windows XP firewall.  I'm guessing that's not enough.

I'm using the Comodo firewall that was suggested earlier.

Be sure to run only one firewall. Two can cause conflicts.

Delete:
Combofix from your desktop
Go to C:\qoovox <---delete the whole file

You may want to toggle System Restore once more to ensure infected restore points are gone.

System Restore
1: Right click on the My Computer icon on your desktop and select properties.
2: Click on the system restore tab.
3: Check the box that says "Turn off system restore on all drives". Click OK.
4: Click Yes when you are prompted to restart the computer
5: To re-enable System Restore, follow steps 1-3, but in step 3, click to clear the Disable System Restore check box.

Glad things are working better.

Safe Surfing!