Search engine results hijacked for all browsers

Pancake · Jan 23, 2012

Ummm.Odd.How are things running now.?

Sgt. Pepper · Jan 23, 2012

After THIS particular restore, and I have no idea why the results are not being hijacked...

However this could be a false positive. I will post again later in the night as well as tomorrow morning to confirm that things are still running smoothly...

do my logs show anything peculiar or signs of infection?

Pancake · Jan 23, 2012

It all looks fine in the log but I just cant undestand why those temp files keep coming back.

Please run OTL.exe.

Copy the commands in the code box with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code:
:otl
:Files
C:\Windows\assembly\tmp\U\*
:folders
C:\Windows\assembly\tmp\U
ipconfig /flushdns /c
:commands
[PURITY]
[EMPTYTEMP]
[EMPTYFLASH]
[RESETHOSTS]
[CLEARALLRESTOREPOINTS]
[CREATERESTOREPOINT]
Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.
Click the red Run Fix button.
A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTL.exe

If a file or folder cannot be moved you may be asked to reboot the machine to finish the process. If you are asked to reboot the machine choose Yes.

Sgt. Pepper · Jan 25, 2012

Followed your instructions to the letter.

After a reboot, got this log which is attached.

The search results I get are somewhat normal now.

However in the morning when I first started up there was a suspicious redirect similar to the problems I was having initially and it disappeared. That was this morning prior to me running the code you gave me.

Pancake · Jan 25, 2012

Ok.Just see how that goes and see if you get anymore redirects.

Sgt. Pepper · Jan 29, 2012

Quite peculiar. Chrome is working ok now, however it would appear that firefox search results are still being Hijacked. The URL its redirecting to has changed as well.

Pancake · Jan 29, 2012

Download Malwarebytes' Anti-Malware from HERE and save it to you desktop.

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select "Perform Quick Scan", then click Scan.

The scan may take some time to finish,so please be patient.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.
Post the contents of the MBAM Log back here please.

Sgt. Pepper · Feb 10, 2012

I apologize for the delay. Being a college student I was pretty busy for the last week.

Anyway, I did as you said, ran the program and disinfected.

also apologize that its not at attachment, for some reason I cant seem to make attachments now?

Here is the subsequent log:

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
Malwarebytes : Free anti-malware, anti-virus and spyware removal download

Database version: v2012.02.07.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Sean :: JARVIS [administrator]

Protection: Enabled

2/10/2012 4:52:31 PM
mbam-log-2012-02-10 (16-52-31).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 387433
Time elapsed: 39 minute(s),

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 14
C:\Qoobox\Quarantine\C\Windows\assembly\tmp\U\000000c0.@.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Windows\assembly\tmp\U\000000cb.@.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Windows\assembly\tmp\U\000000cf.@.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Windows\assembly\tmp\U\800000cb.@.vir (Backdoor.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Windows\System32\consrv.dll.vir (Trojan.Siredef) -> Quarantined and deleted successfully.
C:\Windows\assembly\tmp\U\000000c0.@ (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\assembly\tmp\U\000000cb.@ (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\assembly\tmp\U\000000cf.@ (Trojan.Agent) -> Quarantined and deleted successfully.
C:\_OTL\MovedFiles\01252012_192526\C_Windows\assembly\tmp\U\000000c0.@ (Trojan.Agent) -> Quarantined and deleted successfully.
C:\_OTL\MovedFiles\01252012_192526\C_Windows\assembly\tmp\U\000000cb.@ (Trojan.Agent) -> Quarantined and deleted successfully.
C:\_OTL\MovedFiles\01252012_192526\C_Windows\assembly\tmp\U\000000cf.@ (Trojan.Agent) -> Quarantined and deleted successfully.
D:\Archive\My Stuff\installs\keygen.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Users\Sean\AppData\Local\Temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb (Rootkit.Zeroaccess) -> Delete on reboot.
C:\Windows\Temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb (Rootkit.Zeroaccess) -> Delete on reboot.

(end)

Pancake · Feb 10, 2012

Ok.Good.How is it now ?.

Sgt. Pepper · Feb 11, 2012

No problems to report as of yet...

Then again the first time it looked clean it came back after about several days.

I will keep a close eye on anything suspicious and report back later.

Pancake · Feb 11, 2012

Ok.All done.Log looks good! All that was detected is now either in quarantine or system restore, both of which we'll be cleaning out in just a minute. Congratulations, well done.

You can now uninstall ComboFix

Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.

In the field, type in ComboFix /uninstall

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

Then, press Enter, or click OK.

This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.

Over the course of the fix you've used a variety of special tools to help with the cleaning process - none of these are of any use to you now that you're clean, and it's best not to have them hanging around on your computer. OTC is a small program that removes all the leftover tools and logs from cleanup of malware.

Please download OTC to your desktop.

Double-click OTC to run it. (Vista users, please right click on OTC and select "Run as an Administrator")
Click on the CleanUp! button and follow the prompts.
You will be asked to reboot the machine to finish the Cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.

Here are some tips to reduce the potential for malware infection in the future; I strongly suggest that you read them and take them to heart so that you don't have to endure the process of cleaning your computer again.
Afterwork
Malware Prevention
How Did I Get Infected
More Tips on Prevention

=============================

Sgt. Pepper · Feb 29, 2012

It would appear that I have another redirect happening

This time clicking on a link in chrome, a search result on google tries redirecting me here:

http://abnow.com/?search=firefoxaddons&subid=155&key=8181f99d9ad431c8eaa2

Any suggestions?

Crush · Feb 29, 2012

Can you restore Firefox to defaults?

Sgt. Pepper · Mar 4, 2012

Just to be clear you want me to restore Firefox to all default settings and not Chrome right?

Crush · Mar 4, 2012

Sorry, misread. The affected browser please

Log in or Join Us

Search engine results hijacked for all browsers

Pancake Security Team

Sgt. Pepper Bronze Member

Pancake Security Team

Google Advertisement

Sgt. Pepper Bronze Member

Attached Files:

01252012_192526.log

Pancake Security Team

Sgt. Pepper Bronze Member

Pancake Security Team

Sgt. Pepper Bronze Member

Pancake Security Team

Sgt. Pepper Bronze Member

Pancake Security Team

Sgt. Pepper Bronze Member

Crush Administrator & Security Team Leader

Sgt. Pepper Bronze Member

Crush Administrator & Security Team Leader

Search engine results hijacked for all browsers

Log in or Join Us

Search engine results hijacked for all browsers

Pancake Security Team

Sgt. Pepper Bronze Member

Pancake Security Team

Google Advertisement

Sgt. Pepper Bronze Member

Attached Files:

01252012_192526.log

Pancake Security Team

Sgt. Pepper Bronze Member

Pancake Security Team

Sgt. Pepper Bronze Member

Pancake Security Team

Sgt. Pepper Bronze Member

Pancake Security Team

Sgt. Pepper Bronze Member

Crush Administrator & Security Team Leader

Sgt. Pepper Bronze Member

Crush Administrator & Security Team Leader

Search engine results hijacked for all browsers

Useful Searches