All browsers hijacked - redirecting search links

[IndiGenus]

Hi,

It looks like that file might be part of a removal tool from Kaspersky. Are you familiar with anything like that?

Use ATF Cleaner to remove temp files, cookies, cache, ect...
Please download ATF Cleaner by Atribune.

• Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Please download Malwarebytes' Anti-Malware from Here
Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and Paste the entire report in your next reply along with a Hijackthis log.

Please let me know how it's running also.

[j_global]

Yes, Kaspersky is a highly recommended antivirus tool I downloaded when I realized my PC was infected. I knew that bitdefender (the very highly rated AV I paid for) hadn't found anything so I wanted a second opinion.

I'll run through the other recomendations here in your last post but I am still having the issue and it feels like we're sort of giving up.

Did you see anything else that could be the root of the issue?

This is reall frustrating.

It isn't your fault though, it is mine. I appreciate that you gave it a shot.

-Jonathan

[IndiGenus]

I'll run through the other recomendations here in your last post but I am still having the issue and it feels like we're sort of giving up.

No, I'm no where near giving up. Please proceed with the instructions and we'll go from there.

Did you see anything else that could be the root of the issue?

Not yet, but we haven't come close to exhausting our resources. I thought maybe combofix took care of the issue. Is it any different after running it?

This is reall frustrating.

Understood. Just hang in there and we'll work through it.

[j_global]

Thanks for the encouragement and reassurance.

To answer your question regarding whether anything is different. If it is, I can't tell. The original issue that brought me here is still in place. I just did a search on Bing for 'finance' and clicked on one of the search results that was 'comcast/finance' which appeared to be an article on a finance blog but I was directed to a search site called 'thermocite' instead.

This was after the Malwarebytes scan and fix below.

Here's the log from the quick scan with Malwarebytes:

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

12/2/2009 8:36:19 AM
mbam-log-2009-12-02 (08-36-19).txt

Scan type: Quick Scan
Objects scanned: 120662
Time elapsed: 14 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\{442e26b2-0ae9-1033-0203-060506210001} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[IndiGenus]

I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


Please do a scan with Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Click on the Accept button and install any components it needs.
• The program will install and then begin downloading the latest definition
  files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run. (At times it may appear to stall)
  * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/B...ng/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419

In your next reply post:
Kaspersky log
New HJT log taken after the above scan has run

Let me know how it's running too please.

[j_global]

Hi Indegenus,

Sorry it has taken a little longer to get back. I had a hectic couple days with work.

I ran this Kaspersky Online scan overnight last night and it ran for 8.2 hours. Thsi morning it showed no threats. I clicked on the report button and as the page was trying to load, I noticed that the scan had only run 88% instead of the expected 100%. By clicking the report link (the report was blank) and going back to the scan page, it started over with the ''accept' button.

I am running the scan again today while I am at work and will check it again when I get back.

Overall, the computer is running fine, so none of the scanning and fixing we've done has broken anything. However, the issue with the browser redirect remains.

Thanks again. You'll hear from me in about another 10 hours.

Regards,
Jonathan

[IndiGenus]

How are you making out here Jonathan?

[IndiGenus]

Just got a heads up from other experts on a new infection causing your issues.

A quick check....

Give me a list of your Firefox Add-ons:

In Firefox click Tools --> Add-ons

[j_global]

Hi Indigenus

When I go to my add-ons for Firefox, I just get a list to select and add, so I think it means I don't have any add-ons installed. I am attaching a small screen shot just so you know what I am looking at.

I also have pasted in the log.txt from the Eset scan. It did find a file - an old crack for WinRar, but I don't believe that file has anything to do with my issue. I will go ahead and delete it for good measure.

First, the log.txt:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=cbd34a521afd4744b2d42bb46a242bac
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-12-06 07:22:19
# local_time=2009-12-06 02:22:19 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=2053 16776869 100 100 0 141858025 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=250753
# found=1
# cleaned=0
# scan_time=5973
C:\Program Files\WinRAR\WRARcrk.exe probably a variant of Win32/Bifrose trojan 00000000000000000000000000000000 I


______

The screenshot of my tools / add-ons for FF is attached ato this message as a file.

[IndiGenus]

On the picture you attached....what shows if you click on the extensions tab (looks like puzzle piece)?