Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Inactive Malware Help Topics

[SOLVED] Nasty Search Engine Redirect Malware!!

This is a discussion on [SOLVED] Nasty Search Engine Redirect Malware!! within the Inactive Malware Help Topics forums, part of the Tech Support Forum category. i am at my wits end. i have run adaware, ewido, avg antispyware and antivirus, ccleaner, cwshredder, fixwareout, hijackthis (obviously),


 
 
Thread Tools Search this Thread
Old 09-01-2008, 09:02 PM   #1
Registered Member
 
Join Date: Aug 2008
Posts: 6
OS: winXP


Mistake

i am at my wits end.
i have run adaware, ewido, avg antispyware and antivirus, ccleaner, cwshredder, fixwareout, hijackthis (obviously), registry mechanic, and probably a couple other things i've forgotten by now. Every program that could be used in safemode was used there.

Someone who shares this machine caught Windows Antivirus 2008 on their profile while attempting to download a wallpaper. i seem to have gotten rid of all that, but still get redirected whenever a link is followed from a search engine. The status bar reflects a redirect to "go.google.com" and then many ip addresses before landing at a fake search engine site, if google is used. If yahoo is used, it redirects to go.yahoo.com, etc.

The WAV2008 was contracted via Firefox. i have since removed IE from the machine entirely (as far as i know) and have removed Firefox 3.0 and downgraded to 2.0. i also just installed Opera and the same tredirect happens there. Some programs i've used found things, cleaned them and when i ran them again, came up clean. Everything is coming up clean but i am still being redirected. i am also unable to access help forums like this one (thank god i have a laptop); i get an "unable to establish a connection to server" page, but i can access it via proxy page. Also can't update adaware definitions- it fails. Had to download onto laptop and network the machines to update it. i'm now at a total loss and you guys are my only hope.

Here's my HijackThis log at present:

Logfile of HijackThis v1.99.1
Scan saved at 8:50:45 PM, on 9/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Documents and Settings\wolf\My Documents\CLEANING\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)



Thanks for any help in advance.

__________________
cumal is offline  
Old 09-01-2008, 09:45 PM   #2
Registered Member
 
Join Date: Aug 2008
Posts: 6
OS: winXP



It appears to be called "go.google spyware".

http://answers.yahoo.com/question/in...8133041AAqmiiF
http://forum.processlibrary.com/show...4812#post44812

According to both these references, Malwarebytes' Anti-Malware appears to be the closest thing to a solution. The person who started the thread at processlibrary got this malware yesterday and i got it a couple days ago, so i'm hopeful. i'm running Malwarebytes' right now. We'll see how it goes.

__________________
cumal is offline  
Old 09-01-2008, 10:22 PM   #3
Registered Member
 
Join Date: Aug 2008
Posts: 6
OS: winXP



Well it appears that i've resolved my own problem. Malwarebytes' took it right off and everything is running smoothly.

At least maybe someone with the same problem can find the solution here.
http://www.download.com/Malwarebytes...-10804572.html
__________________
cumal is offline  
Old 09-01-2008, 10:40 PM   #4
TSF Team Emeritus
Moderator, Microsoft Support
 
justpassingby's Avatar
 
Join Date: Mar 2007
Location: Belgium
Posts: 6,472
OS: XP Home SP3 / Ubuntu / Win 7

My System


Thanks for sharing the solution with us, I'll move your thread to the general security section.
__________________
Malware removal steps. Post your logs there and not here !
Posting system specs
justpassingby is offline  
Old 09-01-2008, 11:05 PM   #5
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 49,930
OS: XP Pro; XP Home; Win7 x86 & x64



cumal -

What version of MBAM were you running at the time?

Do me a favor...

Open notepad and copy/paste the text in the quotebox below into it:

Quote:
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders" /v "SecurityProviders" > peek.txt
start notepad peek.txt
Save this as peek.bat Choose to "Save type as - All Files"
It should look like this:
Double click on peek.bat & allow it to run. A notepad file will open. Copy that information into your next reply, please.

__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

tetonbob is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 06:31 AM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts