Malwarebytes successfully blocked outgoing but Google search results still hijacked

[jennbee]

JRT file JRT.txt

 

Also, I still have Rogue Killer open - when I go to close, it says "no items have been deleted.  Do you really want to quit?"

 

Is it okay to shut this down?

[D-FRED-BROWN]

Yeah go ahead and shut it down for now.

 

We've already done this step, but I'd like you to do it again:

 

Please download Malwarebytes Anti-Rootkit from HERE

• Unzip the contents to a folder in a convenient location.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
• Wait while the system shuts down and the cleanup process is performed.
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
• When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

[jennbee]

mbar logs atttached - nothing found

mbar-log-2013-06-22 (13-35-08).txtsystem-log.txt

 

Google search links still hijacked.

[D-FRED-BROWN]

Something isn't right. I'd like to get some more scans to get me a better picture:

 

Please do the following:

• Download GMER from here.  Save it to your Desktop.  Take note of the filename, as it is a randomly named  .exe file.
• Disconnect from the Internet and close all running programs while scan is running.
• Make sure all antivirus and other real-time security programs are disabled.  See here for directions.
• Double-click on the downloaded file to start the program. (If running Vista or Win 7, right click on it and  Run as an Administrator)
• If possible rootkit activity is found, you will be asked if you would like to perform a full scan.-->Click  on NO, then use the following settings for a more complete scan:
  
  
  
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)

  [*]Click the Scan button to begin. (Please be patient: this can take some time.[*]When the scan is finished, click Save and type in gmer.txt and save to Desktop and copy/paste the contents in your next reply.

Note!: These types of scans can produce false positives.  Do not take any action until a trained helper has seen the log.
 

[jennbee]

gmer text attached

GMER.txt

[D-FRED-BROWN]

I'd like to try something- please disable your Symantec software, then run RogueKiller again and post its log (don't let it delete anything).

[jennbee]

Latest RogueKiller log attached

RKreport0_S_06232013_075727.txt

[D-FRED-BROWN]

That's really bizaree. Something is clearly being flagged... my gut tells me it's Symantec, but your log hasn't verified that so far.

 

I'd like to uninstall Symantec (only for now) to see if that has any impact. Please download and run the Norton Removal Tool from here: https://support.norton.com/sp/en/us/home/current/solutions/kb20080710133834EN_EndUserProfile_en_us

 

After you've successfully uninstalled Symantec/Norton, please reboot. Then, run RogueKiller again and post the log. This will clarify whether the suspicious activity is caused by your antivirus program.

[jennbee]

Rogue Killer file - after symantec uninstalled   -  note computer also had symantec WinFax Pro which was also uninstalled...maybe it was WinFax rather than Norton 360 causing the flagging, as we hadn't previously switched that off

RKreport0_S_06232013_112644.txt

 

[D-FRED-BROWN]

Okay, that clarifies things. Turns out it was Norton.

Let's proceed- are the redirects still occuring? Do they happen on every search engine result?

[jennbee]

Redirects are still occuring, but not on every search result, and only in IE and FireFox - Chrome seems fine.  Generally, first few searches are okay, then things degrade.  The more searches we do seem to increase the number of search results affected by redirects. 

 

I haven't tested sufficiently to identify any pattern, and I'm not sure whether things reach a point where all results in top 10 results (or further) redirect. 

 

I did think that 'paid' search results (i.e. advert links top and in right column) seem more prone to redirect.

[D-FRED-BROWN]

Okay, that points me on the right track.

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:

• Flush DNS
• Report IE Proxy Settings
• Reset IE Proxy Settings
• Report FF Proxy Settings
• Reset FF Proxy Settings
• List content of Hosts
• List IP configuration
• List Winsock Entries
• List last 10 Event Viewer log
• List Installed Programs
• List Devices
• List Users, Partitions and Memory size.
• List Minidump Files

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

[D-FRED-BROWN]

Still with me? Are there any remaining issues?

[jennbee]

HI there,

 

have been offline but now back on the case - will implement your June 23 recommendations today and let you know how I get on.

 

jennbee

[D-FRED-BROWN]

Sounds good

[jennbee]

Minitoolbox result file attached.

Result.txt

 

One additional thing that has occurred is that we had the machine hooked up to my wireless network which is linked to an ADSL connection.  While on my network Malwarebytes blocked many attempts to contact the ip addresses mentioned right back at the start of this grand adventure.

 

We disconnected from that network and connected to an alternative, personal 3G wireless connection.  

 

 

While on the 3G network, attempts to contact the aforementioned ip addresses ceased.  Although attempted connections have previously been experienced while on 3G network ( but not today) and browser still hijacked on this network. 

 

We tried to reconnect to my network but had no success reconnecting, even manually re-entering network security key - attempt to repair connection also failed.

 

I have not yet attempted a restart of my wireless network - note the other computer using my network (running OS7 +IE10 / FF21) not experiencing any browser hijacking or attempts to connect to other ip addresses)

 

Thought I'd mention this as I gather DNS and proxy details may be different if on a different network??

[D-FRED-BROWN]

Hmm. It's possible you got reinfected by some means.

 

I'd like to go back to the proverbial drawing board for now- please re-run the tools in this post and post their logs in your next reply.

[jennbee]

Do you think I should aslo run tools on the that has not been experiencing the hijacking?

[D-FRED-BROWN]

If it's not experiencing hijacking, I wouldn't worry about it. But if you're worried it's infected, open up a new thread for it and I can take a look

[jennbee]

Sure  - I'll concentrate on the old machine

[D-FRED-BROWN]

Sounds good

[jennbee]

Hi again,

 

I've run a whole bunch of the utilities listed in the early part of this thread on computer - ESET Online scanner eventually found a threat - attaching files from all programs

 

ESETScan.txt

AdwCleanerR5.txtAdwCleanerS3.txtComboFix.txtExtras.TxtOTL.Txtlog.txtmbar-log-2013-06-29 (12-54-19).txtsystem-log.txtTDSSKiller.2.8.18.0_29.06.2013_12.47.30_log.txt

 

Hoping that now we've found something we can finally resolve 

[D-FRED-BROWN]

---------Step 1---------

Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
• The tool will open start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.

 

---------Step 2---------

Please do the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:
 

 

KILLALL::

 

Driver::

27470208

 

File::

C:\Windows\System32\Drivers\27470208.sys

 

Reboot::

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I shall require in your next reply.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Please include the newly-created C:\ComboFix.txt in your next reply, and let me know how things are running now
 

 

---------Step 3---------

Re-run the ESET scan again, but make sure you allow it to remove any found threats this time.

[jennbee]

Having problems getting ComboFix running - we reinstalled to try again after it 'hung' - an no we didn't press any key etc after it had started...but after 20 min of inactivity we figured we better restart the machine.  

 

On running the reinstalled version of ComboFix, although we had Norton antivirus disabled (including killing its process in task manager) Combo fix kept saying it was active.  After the selecting Yes after second N.AV  active warning, another message came up asking if we were trying to run CFScript, but said CFScript misspelled!

 

Suffice to say ComboFix now won't run 

[D-FRED-BROWN]

Go ahead and uninstall Norton completely for now. Try running the CFScript again