Redirection from website

[bryson1504]

When I access Google and put in key words eg. Tesco flowers. I then click the mouse so that I can access Tesco. When I do that I am then directed to various rogue sites: ie camouflage, movie-x, etc. These come up as search engines. Our system has obviously been hijacked and using Symantec and Spybot hasn't cleared it. Is this a trojan? How can we get rid of it?Help.

[pskelley]

Welcome to the forum, please be advised that most forums Pin the information you need at the top of the page. These two links are a must before you can proceed, but I suggest you review all Pinned (Sticky) information.
UPDATED WINDOWS - Your first line of defence, links and tips
http://forums.spybot.info/showthread.php?t=425
"BEFORE you POST" -Preliminary Steps and scanning with SPYBOT-S&D
http://forums.spybot.info/showthread.php?t=288
Use the "Post Reply" to post the information in the instructions.

Thanks...pskelley
Safer Networking Forums

[bryson1504]

QUOTE=bryson1504;52549]When I access Google and put in key words eg. Tesco flowers. I then click the mouse so that I can access Tesco. When I do that I am then directed to various rogue sites: ie camouflage, movie-x, etc. These come up as search engines. Our system has obviously been hijacked and using Symantec and Spybot hasn't cleared it. Is this a trojan? How can we get rid of it?Help.[/QUOTE]

Thank you for your reply. My friend followed your instructions. Unfortunately the problem is still with us. I then went into Hijackthis and had the system scanned. A logfile came up, but I don't know what to delete and what not to. I'd like to send the logfile for you to look at, but don't know how to send it to you.

[pskelley]

Please review carefully all of the information in this topic:
"BEFORE you POST" -Preliminary Steps and scanning with SPYBOT-S&D
http://forums.spybot.info/showthread.php?t=288
The information you need is there, including what I am posting for you below.

Thanks

http://www.bleepingcomputer.com/tuto...utorial94.html

http://www.webmasternow.com/copyandpaste.html

[bryson1504]

We have our web page hijacked by another 'search engine'. After scanning with Hijack this, the following logfile came up, but I don't know what to delete and what to keep.

Can anyone help me. This is the logfile:

Logfile of HijackThis v1.99.1
Scan saved at 16:27:10, on 15/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = arthur2@014
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{4046C26D-CF84-4CE2-9D16-D8D0C58A289D}: NameServer = 85.255.113.205,85.255.112.66
O17 - HKLM\System\CCS\Services\Tcpip\..\{54C9CB5B-BF16-4921-91DB-05E50A8349A1}: NameServer = 85.255.113.205,85.255.112.66
O17 - HKLM\System\CCS\Services\Tcpip\..\{99B62320-38AD-4512-B6BF-71FE87B68230}: NameServer = 85.255.113.205,85.255.112.66
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.205 85.255.112.66
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.113.205 85.255.112.66
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.205 85.255.112.66
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

[pskelley]

Thanks for returning your information, you are hijacked by lowlifes located in the Ukraine. see this:
http://whois.domaintools.com/85.255.113.205

Let's see if we can get rid of them, please follow the directions carefully.

1) Before we can start, it looks like you are running three antivirus programs at the same time, McAfee and Symantec and C:\PROGRA~1\ALWILS~1\Avast4\ This will make you less safe than running one good program and maintaining it properly. See this information:
Uninstall all but one, update the one you keep and run a complete system scan, post for me any item that can't be removed, the complete name and pathway.
http://service1.symantec.com/SUPPORT...00031316555206
"Microsoft recommends that you have only one anti-virus program installed on your computer."
http://www.washingtonpost.com/wp-dyn...120300087.html

2) C:\Program Files\ewido anti-spyware 4.0\guard.exe is obsolete, Grisoft has purchased that program and I will ask you to update to Anti-Spyware by Grisoft and run it a little later in the instructions.

3) TeaTimer needs to be turned off, it will block changes we must make:
http://russelltexas.com/malware/teatimer.htm
Make sure you turn it back on when finished for your protection.

4) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

5) Thanks to LonnyBJones and anyone else who helped with this fix.

Download FixWareout from one of these sites:

http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your Desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items:

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{4046C26D-CF84-4CE2-9D16-D8D0C58A289D}: NameServer = 85.255.113.205,85.255.112.66
O17 - HKLM\System\CCS\Services\Tcpip\..\{54C9CB5B-BF16-4921-91DB-05E50A8349A1}: NameServer = 85.255.113.205,85.255.112.66
O17 - HKLM\System\CCS\Services\Tcpip\..\{99B62320-38AD-4512-B6BF-71FE87B68230}: NameServer = 85.255.113.205,85.255.112.66
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.205 85.255.112.66
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.113.205 85.255.112.66
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.205 85.255.112.66

Close all programs but HJT and all browser windows, then click on "Fix Checked"

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

7) Make sure all of the above instructions are completed, if not it will slow down the repair, then restart the computer and post the results of Fixwareout and a new HJT log.

8) Once those logs are posted, follow the instructions carefully in this link:
http://www.virusvault.co.uk/fusionbb...ic.php?tid/33/
Thanks to John McKenna for the tutorial, make sure you delete or at least quarantine anything located, then post the results of the scan for me to view as soon as you have them.

Thanks

[bryson1504]

Thank you for helping. I'll start on this tonight and tomorrow. Regarding McAfee we found it didn't work and actually missed 74 trojans. A friend helped us by installing Symantec and Spybot and that solved the last problem. I'll get back to you.

[bryson1504]

I have followed your instructions (I hope I got them right). At number 6 when you say to download ATF cleaner-exe nothing happens. The same page reappears and I've done everything I can. No menu appears so I can't 'select all'. Any advice? Can I leave the computer for tonight and try again tomorrow or should I persevere until the whole process is finished.

[bryson1504]

The earlier report:

Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.


ATF-Cleaner.exe
Written by Atribune
Friday, 03 February 2006
ATF-Cleaner.exe was once upon a time just my personal temp file cleaner. There became a need for a good temp file cleaner that could do the job safely and without removing files that are crucial to windows, so I decided I'd share it with the public.


ATF-Cleaner has recently picked up alot of interested in the various communities online.

ATF-Cleaners options are fairly straight forward and its simplicity is part of its charm.

The general instructions for its use on the forums are as follows:

This is what has appeared AFTER I have double clicked ATF cleaner-exe

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

[bryson1504]

The bottom copy and paste is from the ATF cleaner-exe. - for your information. No menu comes up so I can't carry on. Any advice.