Search Engine Redirecting Virus

July 15, 2009 at 16:51:05
Specs: Windows XP SP 2, Intel Premium Processor 1.50 GHz/480 mb

Search engines (both Google and Yahoo) are being redirected to ad sites and such. I scanned with avast! and SuperANTISpyware, but they did not solve the problem. I am currently scanning with Malwarebytes and can post a log from there or try Hijackthis. It seems this has to be solved individually, so thank you very much in advance!

See More: Search Engine Redirecting Virus

Report •


#1
July 15, 2009 at 17:11:30
Post both malwarebytes and superantispyware scan logs.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#2
July 15, 2009 at 17:13:25
Malware Bytes found two things, I deleted them and search engine virus is still there.

Report •

#3
July 15, 2009 at 17:14:02
Oops, that was a followup to my first post, I will post those shortly, thanks for your quick reply.

Report •

Related Solutions

#4
July 15, 2009 at 17:17:37
Are these the logs? I'm not sure because they're not as long as the Hijackthis logs.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/14/2009 at 09:46 PM

Application Version : 4.26.1006

Core Rules Database Version : 3995
Trace Rules Database Version: 1935

Scan type : Complete Scan
Total Scan Time : 00:53:40

Memory items scanned : 513
Memory threats detected : 0
Registry items scanned : 3440
Registry threats detected : 0
File items scanned : 11035
File threats detected : 4

Adware.Tracking Cookie
C:\Documents and Settings\Summer\Cookies\summer@at.atwola[1].txt
C:\Documents and Settings\Summer\Cookies\summer@doubleclick[1].txt
C:\Documents and Settings\Summer\Cookies\summer@atwola[1].txt
C:\Documents and Settings\Summer\Cookies\summer@html[1].txt


Malwarebytes' Anti-Malware 1.39
Database version: 2436
Windows 5.1.2600 Service Pack 2

7/15/2009 4:52:34 PM
mbam-log-2009-07-15 (16-52-34).txt

Scan type: Quick Scan
Objects scanned: 79626
Time elapsed: 15 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\geyekrxeexewym.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\geyekrxeexewym.dll (Trojan.TDSS) -> Quarantined and deleted successfully.


Report •

#5
July 15, 2009 at 17:21:25
Note: I can help you remove malware manually. Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible. First Track this topic. Then follow:

1) Can you please post your AVZ log:
Note: Run AVZ in windows normal mode and make sure you are connect to internet. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again. Make sure you have your web browser open in background before following the steps below.

i) To create the log file, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

ii) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

iii) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator.

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

begin
ExecuteAVUpdateEx( 'http://avz.virusinfo.info/avz_up/', 1, '','','');
ExecuteStdScr(3);
RebootWindows(true);
end.


Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.

Image Tutorial

2) Follow these steps in order numbered:

1) Download GMER: http://gmer.net/download.php
[This version will download a randomly named file (Recommended).]

2) Disconnect from the Internet and close all running programs.

3) Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.

4) Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.

5) GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)

6) If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.

7) Now click the Scan button. If you see a rootkit warning window, click OK.

8) When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log and upload it rapidshare.com. Post the download link to the uploaded file in your post.

9) Exit GMER and re-enable all active protection when done.

Note: Please give me the exact name of the file you downloaded in step 1 + post your log from step 8 in your next post.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#6
July 15, 2009 at 18:04:49
Ok, when I ran GMER, apparently my Windows crashed and rebooted shortly after I clicked Scan. It says Windows has just recovered from a serious error. Here are the technical details of the error report, not sure if it'll help:
C:\DOCUME~1\Summer\LOCALS~1\Temp\WER0abb.dir00\Mini071509-02.dmp
C:\DOCUME~1\Summer\LOCALS~1\Temp\WER0abb.dir00\sysdata.xml

My GMER file name was s4obhd0z.
I did not receive any warnings about the rootkit at all.
I did this twice and it crashed the second time.

Here is my AVZ log:
http://rapidshare.com/files/2562900...


Report •

#7
July 15, 2009 at 18:18:45
Follow these Steps in order numbered. Don't proceed to next step unless you have successfully completed previous step:

1) Run this script in AVZ like before, your computer will reboot:

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 QuarantineFile('C:\WINDOWS\system32\drivers\zrbsjwww.sys','');
 StopService('trypvbi');
 DeleteService('trypvbi');
 QuarantineFile('trypvbi.sys','');
 QuarantineFile('\\?\globalroot\systemroot\system32\geyekrxeexewym.dll','');
 DeleteFile('\\?\globalroot\systemroot\system32\geyekrxeexewym.dll');
 DeleteFile('trypvbi.sys');
 DeleteFile('C:\WINDOWS\system32\drivers\zrbsjwww.sys');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

2) After reboot execute following script in AVZ:

begin
CreateQurantineArchive('C:\quarantine1.zip');    
end.


A file called quarantine1.zip should be created in C:\. Upload that file to rapidshare.com and Private message me download link.

3) Attach a Combofix log, please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.co...

Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan. Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please upload that file to rapidshare.com and paste the link here.

4) Please zip up C:\qoobox\quarantine and upload it, to a filehost such as http://rapidshare.com/ Then, Private Message me the Download links to the uploaded files.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#8
Report •

#9
July 15, 2009 at 19:56:54
Are you still getting redirected? Follow these Steps in order numbered. Don't proceed to next step unless you have successfully completed previous step:

1) Run this script in AVZ like before, your computer will reboot:

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 QuarantineFile('c:\windows\system32\geyekr*.*','');
 DeleteFileMask('c:\windows\system32\','geyekr*.*', false);
BC_Importall;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

2) After reboot execute following script in AVZ:

begin
CreateQurantineArchive('C:\quarantine2.zip');    
end.


A file called quarantine2.zip should be created in C:\. Upload that file to rapidshare.com and Private message me download link.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#10
July 15, 2009 at 20:38:23
Oh, I believe it works now! I hope there's nothing hiding so it'll come back later. Thank you so, so much for taking the time to help! I really appreciate it!

Report •

#11
July 15, 2009 at 20:41:31
Complete Response Number 9 then follow:

Download and run Kaspersky AVP tool in safe mode: http://devbuilds.kaspersky-labs.com...
Once you download and start the tool in safe mode:

# Check below options:

    * Select all the objects/places to be scanned. 
    * Settings > Customize > Heuristic analyzer > Enable deep rootkit search

# Click Scan
# Fix what it detects
# Zip/Rar Scan log/Summary and upload it to rapidshare.com. Post download link in your next message.

Illustrated tutorial: http://img32.imageshack.us/img32/76...

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#12
July 16, 2009 at 00:14:46
I am on another computer, and am running the scan on safe mode. However, it says it'll take another four or five hours, does that sound about right? I also hope that it doesn't crash in the middle, it tended to do that with SpyDoctor scans.

Report •

#13
July 16, 2009 at 07:14:08
Yes that's correct it take some time to complete the scan.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#14
July 16, 2009 at 09:35:30
I'm not sure if I did this right, since I zipped two MS-DOS Batch Files named Log and Scan:
http://rapidshare.com/files/2565157...

http://rapidshare.com/files/2565161...

It found two trojan viruses from AVZ, if that helps.


Report •

#15
July 16, 2009 at 09:37:46
You can delete AVZ folder if your problem is fixed. Any other problems?

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#16
July 16, 2009 at 10:01:58
Nope, I think that's it! Thanks again!

Report •

#17
August 6, 2009 at 11:58:57
I am struggling with this problem as well and here is the requested link.

Download link: http://rapidshare.com/files/2644709...


Report •

#18
August 6, 2009 at 12:28:10
Post #2
from post #1 Download link: http://rapidshare.com/files/2644709...

Link for post #2
Download link: http://rapidshare.com/files/2644818...

Thank you in advance for the work you are going through to do this


Report •

#19
August 8, 2009 at 21:25:40
AVZ Link: http://rapidshare.com/files/2653114...

Report •

#20
August 8, 2009 at 21:29:34
I'm having a similar problem, but for my google and yahoo browsers, whenever i search something, nothing comes up, just a blank screen. When I press refresh, the blank screen is still there, also I have a problem that when I look on my history, a whole bunch of websites that I've never been on are there, and they haven't come up in pop-ups either. I think someone may have hacked my Internet, but there's nothing wrong with my dad's computer, so then I think someone has somehow hacked my computer, but wouldn't that require them actually being on my computer first? Please help.

Report •


Ask Question