Search engine results hijacked for all browsers

  1. Pancake

    Pancake Well-Known Member

    Joined:
    Jun 1, 2006
    Posts:
    3,921
    Likes Received:
    5
    Local time:
    00:04
    My System
    Loading...

    Ummm.Odd.How are things running now.?
     
  2. Sgt. Pepper

    Sgt. Pepper New Member Bronze Member

    Joined:
    Jan 20, 2012
    Posts:
    22
    Likes Received:
    0
    Local time:
    00:04
    My System
    Loading...

    After THIS particular restore, and I have no idea why the results are not being hijacked...

    However this could be a false positive. I will post again later in the night as well as tomorrow morning to confirm that things are still running smoothly...


    do my logs show anything peculiar or signs of infection?
     
  3. Pancake

    Pancake Well-Known Member

    Joined:
    Jun 1, 2006
    Posts:
    3,921
    Likes Received:
    5
    Local time:
    00:04
    My System
    Loading...

    It all looks fine in the log but I just cant undestand why those temp files keep coming back.


    Please run OTL.exe.

    Copy the commands in the code box with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    Code:
    :otl
    :Files
    C:\Windows\assembly\tmp\U\*
    :folders
    C:\Windows\assembly\tmp\U
    ipconfig /flushdns /c
    :commands
    [PURITY]
    [EMPTYTEMP]
    [EMPTYFLASH]
    [RESETHOSTS]
    [CLEARALLRESTOREPOINTS]
    [CREATERESTOREPOINT]
    
    Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.
    Click the red Run Fix button.
    A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    Close OTL.exe

    If a file or folder cannot be moved you may be asked to reboot the machine to finish the process. If you are asked to reboot the machine choose Yes.
     
  4. Sgt. Pepper

    Sgt. Pepper New Member Bronze Member

    Joined:
    Jan 20, 2012
    Posts:
    22
    Likes Received:
    0
    Local time:
    00:04
    My System
    Loading...

    Followed your instructions to the letter.

    After a reboot, got this log which is attached.

    The search results I get are somewhat normal now.

    However in the morning when I first started up there was a suspicious redirect similar to the problems I was having initially and it disappeared. That was this morning prior to me running the code you gave me.
     

    Attached Files:

  5. Pancake

    Pancake Well-Known Member

    Joined:
    Jun 1, 2006
    Posts:
    3,921
    Likes Received:
    5
    Local time:
    00:04
    My System
    Loading...

    Ok.Just see how that goes and see if you get anymore redirects.
     
  6. Sgt. Pepper

    Sgt. Pepper New Member Bronze Member

    Joined:
    Jan 20, 2012
    Posts:
    22
    Likes Received:
    0
    Local time:
    00:04
    My System
    Loading...

    Quite peculiar. Chrome is working ok now, however it would appear that firefox search results are still being Hijacked. The URL its redirecting to has changed as well.
     
  7. Pancake

    Pancake Well-Known Member

    Joined:
    Jun 1, 2006
    Posts:
    3,921
    Likes Received:
    5
    Local time:
    00:04
    My System
    Loading...

    Download Malwarebytes' Anti-Malware from HERE and save it to you desktop.




    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    Note:
    If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
    Click OK to either and let MBAM proceed with the disinfection process.
    If asked to restart the computer, please do so immediately.
    If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
    Click OK to either and let MBAM proceed with the disinfection process.
    If asked to restart the computer, please do so immediately.
    Post the contents of the MBAM Log back here please.
     
  8. Sgt. Pepper

    Sgt. Pepper New Member Bronze Member

    Joined:
    Jan 20, 2012
    Posts:
    22
    Likes Received:
    0
    Local time:
    00:04
    My System
    Loading...

    I apologize for the delay. Being a college student I was pretty busy for the last week.

    Anyway, I did as you said, ran the program and disinfected.

    also apologize that its not at attachment, for some reason I cant seem to make attachments now?

    Here is the subsequent log:



    Malwarebytes Anti-Malware (Trial) 1.60.1.1000
    Malwarebytes : Free anti-malware, anti-virus and spyware removal download

    Database version: v2012.02.07.01

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 8.0.7601.17514
    Sean :: JARVIS [administrator]

    Protection: Enabled

    2/10/2012 4:52:31 PM
    mbam-log-2012-02-10 (16-52-31).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 387433
    Time elapsed: 39 minute(s),

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 14
    C:\Qoobox\Quarantine\C\Windows\assembly\tmp\U\000000c0.@.vir (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\Windows\assembly\tmp\U\000000cb.@.vir (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\Windows\assembly\tmp\U\000000cf.@.vir (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\Windows\assembly\tmp\U\800000cb.@.vir (Backdoor.0Access) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\Windows\System32\consrv.dll.vir (Trojan.Siredef) -> Quarantined and deleted successfully.
    C:\Windows\assembly\tmp\U\000000c0.@ (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Windows\assembly\tmp\U\000000cb.@ (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Windows\assembly\tmp\U\000000cf.@ (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\_OTL\MovedFiles\01252012_192526\C_Windows\assembly\tmp\U\000000c0.@ (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\_OTL\MovedFiles\01252012_192526\C_Windows\assembly\tmp\U\000000cb.@ (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\_OTL\MovedFiles\01252012_192526\C_Windows\assembly\tmp\U\000000cf.@ (Trojan.Agent) -> Quarantined and deleted successfully.
    D:\Archive\My Stuff\installs\keygen.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Users\Sean\AppData\Local\Temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb (Rootkit.Zeroaccess) -> Delete on reboot.
    C:\Windows\Temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb (Rootkit.Zeroaccess) -> Delete on reboot.

    (end)
     
  9. Pancake

    Pancake Well-Known Member

    Joined:
    Jun 1, 2006
    Posts:
    3,921
    Likes Received:
    5
    Local time:
    00:04
    My System
    Loading...

    Ok.Good.How is it now ?.
     
  10. Sgt. Pepper

    Sgt. Pepper New Member Bronze Member

    Joined:
    Jan 20, 2012
    Posts:
    22
    Likes Received:
    0
    Local time:
    00:04
    My System
    Loading...

    No problems to report as of yet...

    Then again the first time it looked clean it came back after about several days.

    I will keep a close eye on anything suspicious and report back later.
     
  11. Pancake

    Pancake Well-Known Member

    Joined:
    Jun 1, 2006
    Posts:
    3,921
    Likes Received:
    5
    Local time:
    00:04
    My System
    Loading...

    Ok.All done.Log looks good! All that was detected is now either in quarantine or system restore, both of which we'll be cleaning out in just a minute. Congratulations, well done.

    You can now uninstall ComboFix

    • Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
    • In the field, type in ComboFix /uninstall
    [​IMG]

    (Note: Make sure there's a space between the word ComboFix and the forward-slash.)

    • Then, press Enter, or click OK.
    • This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.

    Over the course of the fix you've used a variety of special tools to help with the cleaning process - none of these are of any use to you now that you're clean, and it's best not to have them hanging around on your computer. OTC is a small program that removes all the leftover tools and logs from cleanup of malware.

    Please download OTC to your desktop.

    Double-click OTC to run it. (Vista users, please right click on OTC and select "Run as an Administrator")
    Click on the CleanUp! button and follow the prompts.
    You will be asked to reboot the machine to finish the Cleanup process, choose Yes.
    After the reboot all the tools we used should be gone.
    Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.

    Here are some tips to reduce the potential for malware infection in the future; I strongly suggest that you read them and take them to heart so that you don't have to endure the process of cleaning your computer again.
    Afterwork
    Malware Prevention
    How Did I Get Infected
    More Tips on Prevention

    =============================
     
  12. Sgt. Pepper

    Sgt. Pepper New Member Bronze Member

    Joined:
    Jan 20, 2012
    Posts:
    22
    Likes Received:
    0
    Local time:
    00:04
    My System
    Loading...

  13. Crush

    Crush Active Member

    Joined:
    Sep 28, 2008
    Posts:
    4,634
    Likes Received:
    2
    Local time:
    10:04
    My System
    Loading...

    Can you restore Firefox to defaults?
     
  14. Sgt. Pepper

    Sgt. Pepper New Member Bronze Member

    Joined:
    Jan 20, 2012
    Posts:
    22
    Likes Received:
    0
    Local time:
    00:04
    My System
    Loading...

    Just to be clear you want me to restore Firefox to all default settings and not Chrome right?
     
  15. Crush

    Crush Active Member

    Joined:
    Sep 28, 2008
    Posts:
    4,634
    Likes Received:
    2
    Local time:
    10:04
    My System
    Loading...

    Sorry, misread. The affected browser please
     
Similar Threads
Forum Title Date
System Security Corruption of Browsers & Search engines Sep 23, 2013
System Security Holasearch Engine Apr 20, 2013
System Security Seach.conduit search engine hijacker Oct 30, 2012
System Security Search Engine Redirecting Virus Apr 26, 2012