Another Google Redirect

[mjs99]

Continuing while logged in as administrator...

Since you did not say again to check "Scan all users", I did not do so.

When copying your custom fix text, I found that all the linebreaks disappeared --- it all ran together in one long line. Even when I pasted into Notepad. So I manually inserted the linebreaks again in the copy in Notepad. So that you can see I did not goof that up, here is the copy I saved from Notepad:

:OTL

IE:64bit: - HKLM\..\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}: "URL" = http://search.ask.com/web?q={searchterms}&l=dis&o=HPNTDF

IE - HKLM\..\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}: "URL" = http://search.ask.com/web?q={searchterms}&l=dis&o=HPNTDF

IE - HKU\S-1-5-21-2738969363-3528563524-3556320021-1000\..\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}: "URL" = http://search.ask.com/web?q={searchterms}&l=dis&o=HPNTDF

IE - HKU\S-1-5-21-2738969363-3528563524-3556320021-1000\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/web?q={SEARCHTERMS}&o=15527&l=dis&prt=NIS&chn=retail&geo=US&ver=19

:files

ipconfig /flushdns /c

:Commands

[emptytemp]

[clearallrestorepoints]

Harrrumpfh. Pasting into this forum lost the blank lines. They are there in Notepad and went into OTL OK.

So I pasted into the custom fix box, with all the right linebreaks. Then I clicked on "Run fix". After it was well under way, I realized I forgot to close IE first. So I belatedly closed IE. I think it was during the last step, while OTL was clearing restore points. BTW, I did not remove all. Maybe it did not remove any. My previous problems included disappearing restore points.

When OTL finished and told me to reboot, I did. After reboot and re-login as administrator, I looked at the available restore points. I found three; the latest is the one just created by OTL, and there are two older ones (including one made by ComboFix). I am not sure whether I had any others before I ran OTL.

Following is the log from the latest run of OTL. Oddly, it, too, is missing a couple of blank lines --- but only near the end.

All processes killed

========== OTL ==========

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}\ deleted successfully.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2fa28606-de77-4029-af96-b231e3b8f827}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2fa28606-de77-4029-af96-b231e3b8f827}\ not found.

Registry key HKEY_USERS\S-1-5-21-2738969363-3528563524-3556320021-1000\Software\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2fa28606-de77-4029-af96-b231e3b8f827}\ not found.

Registry key HKEY_USERS\S-1-5-21-2738969363-3528563524-3556320021-1000\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}\ not found.

========== FILES ==========

< ipconfig /flushdns /c >

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Users\Addmin\Desktop\cmd.bat deleted successfully.

C:\Users\Addmin\Desktop\cmd.txt deleted successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: Addmin

->Temp folder emptied: 228083 bytes

->Temporary Internet Files folder emptied: 46218385 bytes

->Java cache emptied: 2023 bytes

->Flash cache emptied: 700 bytes

User: All Users

User: Chris

->Temp folder emptied: 8319 bytes

->Temporary Internet Files folder emptied: 581943196 bytes

->Java cache emptied: 3065840 bytes

->Flash cache emptied: 4373 bytes

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: Public

->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32 (64bit) .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 0 bytes

%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 67563 bytes

%systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 749 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 602.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.61.5 log created on 09162012_170146

Files\Folders moved on Reboot...

C:\Users\Addmin\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

File\Folder C:\Users\Addmin\AppData\Local\Temp\~DF07B4F0AC81B3A1FD.TMP not found!

File\Folder C:\Users\Addmin\AppData\Local\Temp\~DF0FE64DDB7F19BA11.TMP not found!

File\Folder C:\Users\Addmin\AppData\Local\Temp\~DF11A0970A9742CB85.TMP not found!

File\Folder C:\Users\Addmin\AppData\Local\Temp\~DF33BDEF1D9350A31B.TMP not found!

File\Folder C:\Users\Addmin\AppData\Local\Temp\~DF75C0D9C8A64A7D68.TMP not found!

File\Folder C:\Users\Addmin\AppData\Local\Temp\~DF8691E5045E9B6224.TMP not found!

File\Folder C:\Users\Addmin\AppData\Local\Temp\~DF98272D05AC9631A0.TMP not found!

File\Folder C:\Users\Addmin\AppData\Local\Temp\~DFA266B36625C952AF.TMP not found!

File\Folder C:\Users\Addmin\AppData\Local\Temp\~DFCCA66A8A98597820.TMP not found!

File\Folder C:\Users\Addmin\AppData\Local\Temp\~DFD016792464DCC79B.TMP not found!

File\Folder C:\Users\Addmin\AppData\Local\Temp\~DFD16792B44193BB85.TMP not found!

File\Folder C:\Users\Addmin\AppData\Local\Temp\~DFDBDFC60042775AF7.TMP not found!

C:\Users\Addmin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully.

C:\Users\Addmin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZM1XRVIC\EFpQQyG9GqCrobXxL-KRMWzklk6MJbhg7BmBP42CjCQ[1].eot moved successfully.

C:\Users\Addmin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZM1XRVIC\s-BiyweUPV0v-yRb-cjciFQlYEbsez9cZjKsNMjLOwM[1].eot moved successfully.

File\Folder C:\Users\Addmin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R916KD1W\fastbutton[1].htm not found!

C:\Users\Addmin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R916KD1W\index[1].htm moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

[Maniac]

What about the redirects now?

[mjs99]

While still logged in as administrator, I copied the reports from ESET and AVPTool to the public documents folder. Then I logged out as administrator, logged in as the standard user. I looked and found that the email attachements removed by ESET were still gone. The one (not in an archive) mentioned by AVPTool was in C:\Documents And Settings\... --- which does not exist, I assume it is some sort of magic alias for the places I looked.

While still logged in as the standard user, I launched IE9 (home page is blank). Typed www.google.com in the address bar, went to that page. Entered a search. Clicked on a link in the results. Got redirected to itunes.apple.com. Closed the browswer. Re-opened it, looked at history for today. Found "Computer" and "Google", so far so good. Also found a couple of entries at buisinessfinder.com, it looks like my search was done there (too? instead?). Also found itunes.apple.com.

I then logged out the standard user and logged in the administrator and added this post.

[mjs99]

BTW, after the redirect and while still logged in as the standard user, I looked again for the email attachments that were deleted by ESET; they were still gone.

[Maniac]

Try to set Google Search Engine as you deffault search provider and try again:

http://www.google.com/homepage/search/help.html#ie9

[mjs99]

If you followed my out-of-order postings correctly, you know that, when I last posted, I was logged in as the administrtor. After reading your latest suggestion (which I read on a different machine, with IE closed on the machine with the problem), I went to the problem machine and logged out, then logged in as the standard user. Before doing anything else, I opened the control panel and looked at my IE Search Provider settings. There is only one Search Provider, and it is Google. The "search in the address bar" checkbox is cleared. (Earlier I had deleted the other providers and cleared that checkbox, on my own initiative.) Just to be sure, I tested again --- watching the address bar carefully. I launched IE (home page is blank). Typed "www.google.com" in the address bar, it autocompleted with a final slash, I hit return, and it went to Google (according to address bar and appearance). I typed in a search in the Google web form (not address bar), hit return. Got decent looking results, with URL in address bar at the www.google.com domain. Clicked on a legitimate-looking result. Got reirected elsewhere.

:-(

[Maniac]

Let's try this:

http://support.microsoft.com/kb/923737

[mjs99]

So I tried the suggested Reset of IE, while logged in as the standard user. That did not fix the problem, still getting redirected.

Then I closed IE and opened Internet Options and stipped it down again: disabled all the toolbars and extensions, removed all the Accelerators, removed all the Search Providers except Bing, disabled Bing suggestions and "search in the address bar". On the Security tab, set the Internet zone to High and configured the local intranet zone to be empty; verified that there are no Trusted sites. Checked that no proxy is configured in the LAN settings. Approved out of Internet Options.

Launched IE, went to dcwg.org and verified that DNS Changer is not present. Tested again, with search at Google. Still getting redirected.

In a Command window, used `nslookup` to investigate the DNS names involved in the test (www.google.com and the first site that appeared in my search results). Compared results of `nslookup` on infected machine with results of `nslookup` on other machines at home and at work (in two states). Both domains involved in the test seem to be using big CDNs, so it is a bit tough to be sure, but it looks like I am getting legitimate IP addresses from lookups of the legitimate domain names involved.

[mjs99]

Then I rebooted and logged in as the administrator, and did two things. I created a second standard user, and I downloaded and installed FireFox.

Then I logged out and logged in as the new standard user. I launched IE, and accepted all the configuration suggestions. I tested, and was NOT redirected.

Then I rebooted and logged in as the old standard user. I launched FireFox, and did some testing. There were NO redirects. But IE is still suffering redirects.

[Maniac]

Please download Security Check from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

[mjs99]

Results of screen317's Security Check version 0.99.51

Windows 7 Service Pack 1 x64 (UAC is enabled)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

Norton Internet Security

WMI entry may not exist for antivirus; attempting automatic update.

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.65.0.1400

Java 6 Update 29

Java version out of Date!

Adobe Flash Player 11.2.202.235 Flash Player out of Date!

Adobe Reader X (10.1.4)

Mozilla Firefox (15.0.1)

````````Process Check: objlist.exe by Laurent````````

Norton ccSvcHst.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 0%

````````````````````End of Log``````````````````````

[mjs99]

That was done while logged in as the administrator.

Seeing some complaints, I fixed them. Now here is what SecurityCheck has to say:

Results of screen317's Security Check version 0.99.51

Windows 7 Service Pack 1 x64 (UAC is enabled)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

Norton Internet Security

WMI entry may not exist for antivirus; attempting automatic update.

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.65.0.1400

Adobe Flash Player 11.4.402.278

Adobe Reader X (10.1.4)

Mozilla Firefox (15.0.1)

````````Process Check: objlist.exe by Laurent````````

Norton ccSvcHst.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 1%

````````````````````End of Log``````````````````````

[mjs99]

Also, do not forget post #2 of this thread (http://forums.malwarebytes.org/index.php?showtopic=115687&view=findpost&p=596133). it may be a useful clue. That complaint only happens when I log in as the commonly used standard user; it does not happen when I log in as the rarely used standard user nor the administrator.

[mjs99]

So I logged out as administrator, and logged in as the commonly used standard user (to test). I got the usual complaint about izcusmu.dll and two new complaints. One is of the same form as the izcusmu.dll complaint, but instead complaining about

C:\Users\Chris\AppData\Local\Diagnostics\CrashDumps\vygmf.dll

The other one was a slide-in at the lower right corner of the screen, from Norton Internet Security telling me that Auto-Protect was working on Trojan.Tracur!gen3. The slide-in disappeared while I logged into another machine to start typing this post. Back on the infected machine, I looked in Norton's history and saw that it claims to have taken two actions about that trojan; only one is mentioned, which is removal.

Back on the infected machine, logged in as the standard user, I tested. I tested IE and FireFox. I searched at Google, Bing, and Ask. In all six cases, I got no redirect!

[mjs99]

So I rebooted the (formerly?) infected machine and logged in as the commonly used standard user. I tested IE some more. Got no redirects.

Then I turned on some of the stuff I had turned off while fighting this problem. In the Internet Options, I: moved the Internet zone back to Medium High security, restored the contents of the local Intranet zone, added Google as a Search Provider, and enabled the Flash Player and the Java plug-in. Then I tested IE some more. Still got no redirects!

[Maniac]

So everything is fine now?

[mjs99]

Yes, the commonly used standard user gets no redirects now.

Thanks!

[Maniac]

Glad I could help!

Please run OTL and click on CleanUp button. Next, uninstall ESET Online Scsanner and then manually delete Security Check and Kaspersky AVP.

Some malware prevention tips:

users.telenet.be/bluepatchy/miekiemoes/prevention.html

Safe surfing!

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!